Group Signatures with Almost-for-free RevocationThe setting of dynamically changing groups was analyzed later on by Bellare-Shi-Zhang [10] and, independently, by Kiayias and Yung [40].

Group Signatures with Almost-for-free Revocation

Benoıt Libert1 ?, Thomas Peters1 ??, and Moti Yung2

1Universite catholique de Louvain, ICTEAM Institute (Belgium)2 Google Inc. and Columbia University (USA)

Abstract. Group signatures are a central cryptographic primitive where users can anonymously andaccountably sign messages in the name of a group they belong to. Several efficient constructions withsecurity proofs in the standard model (i.e., without the random oracle idealization) appeared in therecent years. However, like standard PKIs, group signatures need an efficient revocation system to bepractical. Despite years of research, membership revocation remains a non-trivial problem: many exist-ing solutions do not scale well due to either high overhead or constraining operational requirements (likethe need for all users to update their keys after each revocation). Only recently, Libert, Peters and Yung(Eurocrypt’12) suggested a new scalable revocation method, based on the Naor-Naor-Lotspiech (NNL)broadcast encryption framework, that interacts nicely with techniques for building group signatures inthe standard model. While promising, their mechanism introduces important storage requirements atgroup members. Namely, membership certificates, which used to have constant size in existing standardmodel constructions, now have polylog size in the maximal cardinality of the group (NNL, after all, is atree-based technique and such dependency is naturally expected). In this paper we show how to obtainprivate keys of constant size. To this end, we introduce a new technique to leverage the NNL subsetcover framework in the context of group signatures but, perhaps surprisingly, without logarithmic rela-tionship between the size of private keys and the group cardinality. Namely, we provide a way for usersto efficiently prove their membership of one of the generic subsets in the NNL subset cover framework.This technique makes our revocable group signatures competitive with ordinary group signatures (i.e.,without revocation) in the standard model. Moreover, unrevoked members (as in PKIs) still do notneed to update their keys at each revocation.

Keywords. Group signatures, revocation, standard model, efficiency, short private keys.

1 Introduction

Group signatures, as suggested by Chaum and van Heyst [29], allow members of a group managedby some authority to sign messages in the name of the group while hiding their identity. At the sametime, a tracing authority has the power of identifying the signer if necessary. A crucial problem is therevocation of the anonymous signing capability of users when they are banned from or intentionallyleave the group.

1.1 Related Work

Ordinary group signatures. The first efficient and provably coalition-resistant group signaturedates back to the work of Ateniese, Camenisch, Joye and Tsudik [6]. By the time their schemeappeared, the security of the primitive was not appropriately formalized yet. Suitable securitydefinitions remained lacking until the work of Bellare, Micciancio and Warinschi [8] (BMW) whocaptured all the requirements of group signatures in three properties. In (a variant of) this model,

? This author acknowledges the Belgian Fund for Scientific Research (F.R.S.-F.N.R.S.) for his “Collaborateur scien-tifique” fellowship.

?? Supported by the IUAP B-Crypt Project and the Walloon Region Camus Project.

Boneh, Boyen and Shacham [14] obtained very short signatures using the random oracle method-ology [9].

The BMW model assumes static groups where no new member can be introduced after the setupphase. The setting of dynamically changing groups was analyzed later on by Bellare-Shi-Zhang [10]and, independently, by Kiayias and Yung [40]. In the models of [10, 40], constructions featuringrelatively short signatures were proposed in [54, 30]. A construction in the standard model wasalso suggested by Ateniese et al. [5] under interactive assumptions. At the same time, Boyen andWaters gave a different solution [18] without random oracles using more standard assumptions. Byimproving upon their own scheme, they managed [19] to obtain signatures of constant size. Theirconstructions [18, 19] were both presented in the BMW model [8] and provide anonymity in theabsence of signature opening oracle. In the dynamic model [10], Groth [34] showed a system in thestandard model with O(1)-size signatures but, due to very large hidden constants, his scheme wasmostly a feasibility result. Later on, Groth came up with an efficient realization [35] (and signaturesof about 50 group elements) with the strongest anonymity level.

Revocation. As in ordinary PKIs, where certificate revocation is a critical issue, membershiprevocation is a complex problem that has been extensively studied [20, 7, 26, 17] in the last decade.Generating a new group public key and distributing new signing keys to unrevoked members isa simple solution. In large groups, it is impractical to update the public key and provide mem-bers with new keys after they joined the group. Bresson and Stern suggested a different approach[20] consisting of having the signer prove that his membership certificate does not belong to a listof revoked certificates. Unfortunately, the length of signatures grows with the number of revokedmembers. In forward-secure group signatures, Song [56] chose a different way to handle revocationbut verification takes linear time in the number of excluded users.

Camenisch and Lysyanskaya [26] proposed an elegant method using accumulators1 [11]. Theirtechnique, also used in [59, 24], allows revoking members while keeping O(1) costs for signing andverifying. The downside of this approach is its history-dependence: it requires users to follow thedynamic evolution of the group and keep track of all changes: each revocation incurs a modificationof the accumulator value, so that unrevoked users have to upgrade their membership certificatebefore signing new messages. In the worst case, this may require up to O(r) exponentiations, if ris the number of revoked users.

Another drawback of accumulator-based approaches is their limited applicability in the standardmodel. Indeed, for compatibility reasons with the central tool of Groth-Sahai proofs, pairing-basedaccumulators are the only suitable candidates. However, in known pairing-based accumulators [53,24], public keys have linear size in the maximal number of accumulations, which would result inlinear-size group public keys in immediate implementations. To address this concern in delegat-able anonymous credentials, Acar and Nguyen [4] chose to sacrifice the constant size of proofs ofnon-membership but, in group signatures, this would prevent signatures from having constant size.Boneh, Boyen and Shacham [14] managed to avoid linear dependencies in a revocation mechanismalong the lines of [26]. Unfortunately, their technique does not seem to readily interact2 with Groth-

1 An accumulator is a kind of “hash” function mapping a set of values to a short, constant-size string while allowingto efficiently prove that a specific value was accumulated.

2 In [14], signing keys consist of pairs (g1/(ω+s), s) ∈ G×Zp, where ω ∈ Zp is the secret key of the group manager, andthe revocation method relies on the availability of the exponent s ∈ Zp. In the standard model, the Groth-Sahaitechniques would require to turn the membership certificates into triples (g1/(ω+s), gs, us), for some u ∈ G (as in[19]), which is not compatible with the revocation mechanism.

2

Sahai proofs [36] so as to work in the standard model.In [21], Brickell considered the notion of verifier-local revocation group signatures, for which

formal definitions were given by Boneh and Shacham [17] and other extensions were proposed in[50, 61, 45]. In this approach, revocation messages are only sent to verifiers and the signing algo-rithm is completely independent of the number of revocations. Verifiers take as additional input arevocation list (RL), maintained by the group manager, and have to perform a revocation test foreach RL entry in order to be convinced that signatures were not issued by a revoked member (asimilar revocation mechanism is used in [22]). The verification cost is thus inevitably linear in thenumber of expelled users.

In 2009, Nakanishi, Fuji, Hira and Funabiki [49] came up with a revocable group signaturewith constant complexities for signing/verifying. At the same time, group members never have toupdate their keys. On the other hand, their proposal suffers from linear-size group public keys inthe maximal number N of users, although a variant reduces the group public key size to O(N1/2).

In anonymous credentials, Tsang et al. [57, 58] showed how to prevent users from anonymouslyauthenticating themselves without compromising their anonymity or involving a trusted third party.Their schemes either rely on accumulators (which may be problematic in our setting) or have linearproving complexity in the number of revocations. Camenisch, Kohlweiss and Soriente [25] dealtwith revocations in anonymous credentials by periodically updating users credentials in which aspecific attribute indicates a validity period. In group signatures, their technique would place animportant burden on the group manager who would have to generate updates for each unrevokedindividual credential.

While, for various reasons, none of the above constructions conveniently supports large groups,a highly scalable revocation mechanism borrowed from the literature on broadcast encryption wasrecently described by Libert, Peters and Yung [47] (LPY). Using the Subset Cover framework ofNaor, Naor and Lotspiech [51] (NNL), they described a history-independent revocable group signa-ture in the standard model with constant verification time and at most polylogarithmic complexityin other parameters. The technique of [47] blends well with structure-preserving signatures [1, 2] andthe Groth-Sahai proofs [36]. The best tradeoff of [47] builds on the Subset Difference (SD) method[51] in its public-key variant due to Dodis and Fazio [31]. It features constant signature size andverification time, O(logN)-size group public keys, revocation lists of size O(r) (as in standard PKIsand group signatures with verifier-local revocation) and membership certificates of size O(log3N).This can be reduced to O(logN) using the Complete Subtree method [51] but revocation listsare then inflated by a factor of O(logN/r). Although the Layered Subset Difference method [37]allows for noticeable improvements, the constructions of [47] suffer from relatively large member-ship certificates. However, some logarithmic dependency on the group size is expected when basingrevocation on a tree-like NNL methodology.

1.2 Our Contributions

As mentioned above, to date, in the only scalable revocable group signatures with constant verifi-cation time in the standard model [47], group members have to store a polylogarithmic number ofgroup elements. In many applications, however, this can rapidly become unwieldy even for moder-ately large groups: for example, using the Subset Difference method with N = 1000 ≈ 210, usersmay have to privately store thousands of group elements. In order to be competitive with othergroup signatures in the standard model such as [35] and still be able to revoke members whilekeeping them “stateless”, it is highly desirable to reduce this complexity.

3

In this paper, we start with the approach of [47] so as to instantiate the Subset Differencemethod, but obtain private keys of constant size without degrading other performance criteria.This may sound somewhat surprising since, in the SD method, (poly)logarithmic complexities in-herently seem inevitable in several metrics. Indeed, in the context of broadcast encryption [51], itrequires private keys of size O(log2N) (and even O(log3N) in the public key setting [31] if theresult of Boneh-Boyen-Goh [13] is used). Here, we reduce this overhead to a constant while the onlydependency on N is a O(logN)-size group public key.

The key idea is as follows. As in the NNL framework, group members are assigned to a leaf ofa binary tree and each unrevoked member should belong to exactly one subset in the cover of au-thorized leafs determined by the group manager. Instead of relying on hierarchical identity-basedencryption [15, 38, 33] as in the public-key variant [31] of NNL, we use a novel way for users tonon-interactively prove their membership of some generic subset of the SD method using a proofof constant size.

To construct these “compact anonymous membership proofs”, we employ concise vector com-mitment schemes [46, 27], where each commitment can be opened w.r.t. individual coordinates in aspace-efficient manner (namely, the size of a coordinate-wise opening does not depend on the lengthof the vector). These vector commitments interact nicely with the specific shape of subsets – asdifferences between two subtrees – in the SD method. Using them, we compactly encode as a vectorthe path from the user’s leaf to the root. To provide evidence of their inclusion in one of the SDsubsets, group members successively prove the equality and the inequality between two coordinatesof their vector (i.e., two nodes of the path from their leaf to the root) and specific node labelsindicated by an appropriate entry of the revocation list. This is where the position-wise openabilityof concise commitments is very handy. Of course, for anonymity purposes, the relevant entry of therevocation list only appears in committed form in the group signature. In order to prove that he isusing a legal entry of the revocation list, the user generates a set membership proof [23] and provesknowledge of a signature from the group manager on the committed RL entry.

Our technique allows making the most of the LPY approach [47] by reducing the size of mem-bership certificates to a small constant: at the cost of lengthening signatures by a factor of only1.5, we obtain membership certificates consisting of only 9 group elements and a small integer. ForN = 1000, users’ private keys are thus compressed by a multiplicative factor of several hundredsand this can only become more dramatic for larger groups. At the same time, our main schemeretains all the useful properties of [47]: like the construction of Nakanishi et al. [49], it does notrequire users to update their membership certificates at any time but, unlike [49], our group publickey size is O(logN). Like the SD-based construction of [47], our system uses revocation lists ofsize O(r), which is on par with Certificate Revocation Lists (CRLs) of standard PKIs. It is worthnoting that RLs are not part of the group public key: verifiers only need to know the number ofthe latest revocation epoch and they should not bother to read RLs entirely.

Eventually, our novel approach yields revocable group signatures that become competitive withthe regular CRL approach in PKIs: signature generation and verification have constant cost, signa-tures and membership certificates being of O(1)-size while revocation lists have size O(r). A detailedefficiency comparison with previous approaches is given in Section 4. Finally, it is conceivable thatour improved revocation technique can find applications beyond group signatures.

4

2 Background

2.1 Bilinear Maps and Complexity Assumptions

We use bilinear maps e : G×G→ GT over groups of prime order p where e(g, h) 6= 1GT if and onlyif g, h 6= 1G. In these groups, we rely on hardness assumptions that are all falsifiable [52].

Definition 1 ([14]). The Decision Linear Problem (DLIN) in G, is to distinguish the distri-butions (ga, gb, gac, gbd, gc+d) and (ga, gb, gac, gbd, gz), with a, b, c, d R← Z∗p, z

R← Z∗p. The DecisionLinear Assumption is the intractability of DLIN for any PPT distinguisher D.

Definition 2 ([12]). The q-Strong Diffie-Hellman problem (q-SDH) in G is, given a tuple(g, ga, . . . , g(aq)), for some g R← G and a R← Zp, to find a pair (g1/(a+s), s) ∈ G× Zp.

We use a signature scheme proposed by Abe et al. [1], the security of which relies on this assumption.

Definition 3 ([1]). In a group G, the q-Simultaneous Flexible Pairing Problem (q-SFP) is,given

(gz, hz, gr, hr, a, a, b, b ∈ G

)and q ∈ poly(λ) tuples (zj , rj , sj , tj , uj , vj , wj) ∈ G7 such

that

e(a, a) = e(gz, zj) · e(gr, rj) · e(sj , tj) and e(b, b) = e(hz, zj) · e(hr, uj) · e(vj , wj), (1)

to find a tuple (z?, r?, s?, t?, u?, v?, w?) ∈ G7 satisfying relation (1) and such that z? 6∈ 1G, z1, . . . , zq.

The paper will appeal to two other assumptions. The first one was implicitly introduced in [16].

Definition 4 ([16]). Let G be a group of prime order p. The `-Diffie-Hellman Exponent (`-DHE) problem is, given elements (g, g1, . . . , g`, g`+2, . . . , g2`) ∈ G2` such that gi = g(αi) for each i

and where α R← Z∗p, to compute the missing element g`+1 = g(α`+1).

We actually need a stronger variant, used in [39], of the `-DHE assumption. The Flexible Diffie-Hellman assumption [43] asserts the hardness of finding a non-trivial triple (gµ, ga·µ, gab·µ), for somenon-zero µ ∈ Z∗p, given (g, ga, gb). The following assumption relaxes the `-DHE assumption in asimilar way.

Definition 5. In a group G of prime order p, the Flexible `-Diffie-Hellman Exponent (`-FlexDHE) problem is, given (g, g1, . . . , g`, g`+2, . . . , g2`) ∈ G2` such that gi = g(αi) for each i andwhere α R← Z∗p, to compute a non-trivial triple (gµ, gµ`+1, g

µ2`) ∈ (G\1G)3, for some µ ∈ Z∗p and

where g`+1 = g(α`+1).

The reason why we need to rely on the above assumption instead of the weaker `-DHE assumptionis that, in our proofs, the exponent µ ∈ Zp will appear inside Groth-Sahai commitments [36], fromwhich only values of the form (gµ, gµ`+1) will be efficiently extractable. The additional element gµ2`will thus prevent the adversary from simply choosing µ = α or µ = α−1.

A proof of the generic hardness of the `-FlexDHE problem is given in [39]. We note that, whilethe strength of the assumption grows with `, ` is only logarithmic in the maximal number of usershere.

5

2.2 Groth-Sahai Proof Systems

The fundamental Groth-Sahai (GS) techniques [36] can be based on the DLIN assumption, wherethey use prime order groups and a common reference string containing three vectors ~f1, ~f2, ~f3 ∈ G3,where ~f1 = (f1, 1, g), ~f2 = (1, f2, g) for some f1, f2 ∈ G. To commit to a group element X ∈ G, one

chooses r, s, t R← Z∗p and computes ~C = (1, 1, X) · ~f1r· ~f2

s· ~f3

t. In the perfect soundness setting, we

have ~f3 = ~f1ξ1 · ~f2

ξ2where ξ1, ξ2 ∈ Z∗p. Commitments ~C = (f r+ξ1t1 , fs+ξ2t2 , X ·gr+s+t(ξ1+ξ2)) are then

extractable (and distributed as Boneh-Boyen-Shacham (BBS) ciphertexts [14]) using β1 = logg(f1),

β2 = logg(f2). In the witness indistinguishability (WI) setting, vectors ~f1, ~f2, ~f3 are linearly inde-

pendent and ~C is a perfectly hiding commitment. Under the DLIN assumption, the two kinds ofCRS are computationally indistinguishable.

To commit to an exponent x ∈ Zp, one computes ~C = ~ϕx · ~f1r· ~f2

s, where r, s R← Z∗p, using a CRS

consisting of vectors ~ϕ, ~f1, ~f2. In the perfect soundness setting, ~ϕ, ~f1, ~f2 are linearly independent (~ϕ

is often chosen as ~ϕ = ~f3 · (1, 1, g), where ~f3 = ~f1ξ1 · ~f2

ξ2, for example) whereas, in the WI setting,

choosing ~ϕ = ~f1ξ1 · ~f2

ξ2gives a perfectly hiding commitment since ~C is always a BBS encryption

of 1G.To prove that committed variables satisfy a set of relations, the prover computes one commit-

ment per variable and one proof element per relation. Such non-interactive witness indistinguishable(NIWI) proofs are available for pairing-product equations, which are relations of the type

n∏i=1

e(Ai,Xi) ·n∏i=1

·n∏j=1

e(Xi,Xj)aij = tT , (2)

for variables X1, . . . ,Xn ∈ G and constants tT ∈ GT , A1, . . . ,An ∈ G, aij ∈ Zp, for i, j ∈ 1, . . . , n.Efficient NIWI proofs also exist for multi-exponentiation equations, which are of the form

m∏i=1

Ayii ·n∏j=1

X bjj ·m∏i=1

·n∏j=1

X yiγijj = T, (3)

for variables X1, . . . ,Xn ∈ G, y1, . . . , ym ∈ Zp and constants T,A1, . . . ,Am ∈ G, b1, . . . , bn ∈ Zp andγij ∈ G, for i ∈ 1, . . . ,m, j ∈ 1, . . . , n.

In pairing-product equations, proofs for quadratic equations consist of 9 group elements whereaslinear equations (i.e., where aij = 0 for all i, j in equation (2)) only demand 3 group elements each.Linear multi-exponentiation equations of the type

∏mi=1A

yii = T demand 2 group elements.

Multi-exponentiation equations admit zero-knowledge (NIZK) proofs at no additional cost. Ona simulated CRS (prepared for the WI setting), a trapdoor allows simulating proofs without usingthe witnesses and simulated proofs are distributed as real proofs.

2.3 Structure-Preserving Signatures

Many anonymity-related protocols (e.g., [28, 1, 2, 32, 3]) require to sign elements of bilinear groupswhile maintaining the feasibility of conveniently proving that a committed signature is valid for acommitted message.

Abe, Haralambiev and Ohkubo [1, 2] (AHO) showed how to sign messages of n group elementsusing signatures consisting of O(1) group elements. In the context of symmetric pairings, the de-scription hereafter assumes public parameters pp =

((G,GT ), g

)consisting of groups (G,GT ) of

6

order p > 2λ, where λ ∈ N is a security parameter, with a bilinear map e : G × G → GT and agenerator g ∈ G.

Keygen(pp, n): given an upper bound n ∈ N on the number of group elements per signed message,choose generators Gr, Hr

R← G. Pick γz, δzR← Zp and γi, δi

R← Zp, for i = 1 to n. Then,compute Gz = Gγzr , Hz = Hδz

r and Gi = Gγir , Hi = Hδir for each i ∈ 1, . . . , n. Finally, choose

αa, αbR← Zp and define A = e(Gr, g

αa) and B = e(Hr, gαb). The public key is defined to be

pk =(Gr, Hr, Gz, Hz, Gi, Hini=1, A, B

)∈ G2n+4 ×G2

T

while the private key is sk =(αa, αb, γz, δz, γi, δini=1

).

Sign(sk, (M1, . . . ,Mn)): to sign a vector (M1, . . . ,Mn) ∈ Gn using sk = (αa, αb, γz, δz, γi, δini=1),choose ζ, ρa, ρb, ωa, ωb

R← Zp and compute θ1 = gζ as well as

θ2 = gρa−γzζ ·n∏i=1

M−γii , θ3 = Gωar , θ4 = g(αa−ρa)/ωa ,

θ5 = gρb−δzζ ·n∏i=1

M−δii , θ6 = Hωbr , θ7 = g(αb−ρb)/ωb ,

The signature consists of σ = (θ1, θ2, θ3, θ4, θ5, θ6, θ7).

Verify(pk, σ, (M1, . . . ,Mn)): parse σ as (θ1, θ2, θ3, θ4, θ5, θ6, θ7) ∈ G7 and return 1 iff these equalitieshold:

A = e(Gz, θ1) · e(Gr, θ2) · e(θ3, θ4) ·n∏i=1

e(Gi,Mi),

B = e(Hz, θ1) · e(Hr, θ5) · e(θ6, θ7) ·n∏i=1

e(Hi,Mi).

The scheme was proved [1, 2] existentially unforgeable under chosen-message attacks under theq-SFP assumption, where q is the number of signing queries.

Signatures can be publicly randomized to obtain a different signature θ′i7i=1 ← ReRand(pk, σ)on (M1, . . . ,Mn). After randomization, we have θ′1 = θ1 whereas other signature components θ′i7i=2

are uniformly distributed among the values satisfying e(Gr, θ′2) · e(θ′3, θ′4) = e(Gr, θ2) · e(θ3, θ4) and

e(Hr, θ′5) · e(θ′6, θ′7) = e(Hr, θ5) · e(θ6, θ7). Moreover, θ′ii∈3,4,6,7 are statistically independent of

the message and the rest of the signature. This implies that, in privacy-preserving protocols, re-randomized θ′ii∈3,4,6,7 can be safely given in the clear as long as (M1, . . . ,Mn) and θ′ii∈1,2,5are given in committed form.

In [3], Abe, Groth, Haralambiev and Ohkubo described a more efficient structure-preservingsignature based on interactive assumptions. Here, we only rest on non-interactive assumptions.

2.4 Vector Commitment Schemes

We use concise vector commitment schemes, where commitments can be opened with a short de-commitment string for each individual coordinate. Such commitments based on ideas from [16, 24]

7

were described by Libert and Yung [46] and, under weaker assumptions, by Catalano and Fiore [27].In [46], the commitment key is ck = (g, g1, . . . , g`, g`+2, . . . , g2`) ∈ G2`, where gi = g(αi) for eachi. The trapdoor of the commitment is g`+1, which does not appear in ck. To commit to a vector~m = (m1, . . . ,m`), the committer picks r R← Zp and computes C = gr ·

∏`κ=1 g

mκ`+1−κ. A single group

element Wi = gri ·∏`κ=1,κ6=i g

mκ`+1−κ+i provides evidence that mi is the i-th component of ~m as it

satisfies the relation e(gi, C) = e(g,Wi) · e(g1, g`)mi . The infeasibility of opening a commitment to

two distinct messages for some coordinate i relies on the `-DHE assumption. For our purposes, weonly rely on the position-wise binding property of vector commitments and do not need them tobe hiding. The randomizer r will thus be removed from the expression of C.

2.5 The NNL Framework for Broadcast Encryption

The important Subset Cover framework [51] considers secret-key broadcast encryption schemeswith N = 2` registered receivers. Each receiver is associated with a leaf of a complete binary tree Tof height ` where each node is assigned a secret key. If N denotes the universe of users and R ⊂ Nis the set of revoked receivers, the framework’s idea is to partition the set of non-revoked users intom disjoint subsets S1, . . . , Sm such that N\R = S1 ∪ . . . ∪ Sm. Depending on the way to divideN\R, different tradeoffs are possible.

The Subset Difference (SD) method yields a transmission cost of O(|R|) and a storage com-plexity in O(log2N). For each node xj ∈ T, we call Txj the subtree rooted at xj . The unrevokedset N\R is partitioned into disjoint subsets Sk1,u1 , . . . , Skm,um . For each i ∈ 1, . . . ,m, the subsetSki,ui is determined by a node xki and one of its descendants xui – which are called primary andsecondary roots of Ski,ui , respectively – and it consists of the leaves of Txki that are not in Txui . Eachuser belongs to many generic subsets, so that the number of subsets bounded by m = 2 · |R| − 1,as proved in [51].

In the broadcast encryption scenario, a sophisticated key distribution process is necessary toavoid a prohibitive storage overhead. Each subset Ski,ui is assigned a “proto-key” Pxki ,xui that al-lows deriving the actual symmetric encryption key Kki,ui for Ski,ui and as well as proto-keys Pxki ,xulfor any descendant xul of xui . Eventually, each user has to store O(log2N) keys. In the setting ofgroup signatures, we will show that, somewhat unexpectedly, the use of vector commitment schemesallows reducing the private storage to a constant: the size of users’ private keys only depends onthe security parameter λ, and not on N .

2.6 Revocable Group Signatures

As in [49, 47] (and w.l.o.g.), we consider schemes that have their lifetime divided into revocationepochs at the beginning of which group managers update their revocation lists.

The syntax and the security model are similar to those used by Kiayias and Yung [40]. Likethe Bellare-Shi-Zhang model [10], the Kiayias-Yung model assumes an interactive join protocolwhereby the user becomes a group member by interacting with the group manager.

Syntax. We denote by N ∈ poly(λ) the maximal number of group members. At the beginning ofeach revocation epoch t, the group manager publicizes an up-to-date revocation list RLt and wedenote by Rt ⊂ 1, . . . , N the corresponding set of revoked users (we assume that Rt is part ofRLt). A revocable group signature (R-GS) scheme consists of the following algorithms or protocols.

8

Setup(λ,N): given a security parameter λ ∈ N and a maximal number of group members N ∈ N,this algorithm (which is run by some trusted party) generates a group public key Y, the groupmanager’s private key SGM and the opening authority’s private key SOA. Keys SGM and SOA aregiven to the appropriate authority while Y is publicized. The algorithm also initializes a publicstate St comprising a set data structure Stusers = ∅ and a string data structure Sttrans = ε.

Join: is an interactive protocol between the group manager GM and a prospective group memberUi. The protocol involves two interactive Turing machines Juser and JGM that both take asinput Y. The execution, denoted as [Juser(λ,Y), JGM(λ, St,Y,SGM)], ends with Ui obtaininga membership secret seci, that no one else knows, and a membership certificate certi. If theprotocol is successful, the group manager updates the public state St by setting Stusers :=Stusers ∪ i as well as Sttrans := Sttrans||〈i, transcripti〉.

Revoke: is a (possibly probabilistic) algorithm allowing the GM to generate an updated revocationlist RLt for the new revocation epoch t. It takes as input a public key Y and a set Rt ⊂ Stusersthat identifies the users to be revoked. It outputs an updated revocation list RLt for epoch t.

Sign: given a revocation epoch t with its revocation list RLt, a membership certificate certi, amembership secret seci and a message M , this algorithm outputs ⊥ if i ∈ Rt and a signature σotherwise.

Verify: given a signature σ, a revocation epoch t, the corresponding revocation list RLt, a messageM and a group public key Y, this deterministic algorithm returns either 0 or 1.

Open: takes as input a message M , a valid signature σ w.r.t. Y for the indicated revocation epocht, the opening authority’s private key SOA and the public state St. It outputs i ∈ Stusers ∪⊥,which is the identity of a group member or a symbol indicating an opening failure.

Each membership certificate contains a unique tag that identifies the user.A R-GS scheme must satisfy three security notions defined in Appendix A. The first one is

called security against misidentification attacks. It requires that, even if the adversary can introduceand revoke users at will, it cannot produce a signature that traces outside the set of unrevokedadversarially-controlled users.

As in ordinary (i.e., non-revocable) group signatures, the notion of security against framingattacks captures that under no circumstances should an honest user be held accountable for messagesthat he did not sign, even if the whole system conspires against that user. Finally, the notion ofanonymity is also defined (by granting the adversary access to a signature opening oracle) as in themodels of [10, 40].

3 A Revocable Group Signature with Compact Keys and Constant VerificationTime

The number of users is assumed to be N = 2`−1 ∈ poly(λ), for some integer `, so that eachgroup member is assigned to a leaf of the tree. Each node is assigned a unique identifier. Forsimplicity, the root is identified by ID(ε) = 1 and, for each other node x, we define the identifierID(x) ∈ 1, . . . , 2N − 1 to be ID(x) = 2 · ID(parent(x)) + b, where parent(x) denotes x’s father inthe tree and b = 0 (resp. b = 1) if x is the left (resp. right) child of its father. The root of the treeis assigned the identifier IDε = 1.

At the beginning of each revocation epoch t, the GM generates an up-to-date revocation list RLtcontaining one entry for each generic subset Sk1,u1 , . . . , Skm,um produced by the Subset Differencemethod. These subsets are encoded in such a way that unrevoked users can anonymously prove

9

their membership of one of them. Our technique allows to do this using a proof of constant size.The intuition is as follows. In the generation of RLt, for each i ∈ 1, . . . ,m, if xki (resp. xui)

denotes the primary (resp. secondary) root of Ski,ui , the GM encodes Ski,ui as a vector of groupelements Ri that determines the levels of nodes xki and xui in the tree (which are called φi and ψihereafter) and the identifiers ID(xki) and ID(xui). Then, the resulting vector Ri is authenticatedby means of a structure preserving signature Θi, which is included in RLt and will be used in a setmembership proof [23].

During the join protocol, users obtain from the GM a structure-preserving signature on a com-pact encoding Cv – which is computed as a commitment to a vector of node identifiers (I1, . . . , I`)– of the path (I1, . . . , I`) between their leaf v and the root ε. This path is encoded as a single groupelement.

In order to anonymously prove his non-revocation, a group member Ui uses RLt to determinethe generic subset Skl,ul , with l ∈ 1, . . . ,m, where his leaf vi lies. He commits to the correspondingvector of group elements Rl that encodes the node identifiers ID(xkl) and ID(xul) of the primaryand secondary roots of Skl,ul at levels φl and ψl, respectively. If (I1, . . . , I`) identifies the path fromhis leaf vi to ε, the unrevoked member Ui generates a membership proof for the subset Skl,ul byproving that ID(xkl) = Iφl and ID(xul) 6= Iψl (in other words, that xkl is an ancestor of vi andxul is not). To succinctly prove these statements, Ui uses the properties of the vector commitmentscheme recalled in Section 2.4. Finally, in order to convince the verifier that he used a legal elementof RLt, Ui follows the technique of [23] and proves knowledge of a signature Θl on the committedvector of group elements Rl. By doing so, Ui thus provides evidence that his leaf vi is a member ofsome authorized subset Skl,ul without revealing l ∈ 1, . . . ,m.

In order to obtain the strongest flavor of anonymity (i.e., where the adversary has access to asignature opening oracle), the scheme uses Kiltz’s tag-based encryption scheme [42] as in Groth’sconstruction [35]. In non-frameability concerns, the group member Ui also generates a weak Boneh-Boyen signature [12] (which yields a fully secure signature when combined with a one-time signa-ture) using x = logg(X), where X ∈ G is a group element certified by the GM and bound to thepath (I1, . . . , I`) during the join protocol.

3.1 Construction

As in standard security models for group signatures, we assume that, before joining the group, userUi chooses a long term key pair (usk[i], upk[i]) and registers it in some PKI.

Setup(λ,N): given a security parameter λ ∈ N and the permitted number of users N = 2`−1,

1. Choose bilinear groups (G,GT ) of prime order p > 2λ, with a generator g R← G.

2. Define n0 = 2 and n1 = 5. Generate two key pairs (sk(0)AHO, pk

(0)AHO) and (sk

(1)AHO, pk

(1)AHO) for

the AHO signature in order to sign messages of n0 and n1 group elements, respectively.These key pairs are

pk(d)AHO =

(G(d)r , H(d)

r , G(d)z = Gγ

(d)zr , H(d)

z = Hδ(d)zr , G(d)

i = Gγ(d)ir , H

(d)i = H

δ(d)ir ndi=1, A

(d), B(d))

and sk(d)AHO =

(α

(d)a , α

(d)b , γ

(d)z , δ

(d)z , γ(d)

i , δ(d)i

ndi=1

), where d ∈ 0, 1. These two schemes will

be used to sign messages consisting of 2 and 5 group elements, respectively.

10

3. Generate a public key ck = (g1, . . . , g`, g`+2, . . . , g2`) ∈ G2`−1 for vectors of dimension ` inthe vector commitment scheme recalled in section 2.4. The trapdoor g`+1 is not needed andcan be discarded.

4. As a CRS for the NIWI proof system, select vectors f = (~f1, ~f2, ~f3) s.t. ~f1 = (f1, 1, g) ∈ G3,

~f2 = (1, f2, g) ∈ G3, and ~f3 = ~f1ξ1 · ~f2

ξ2, with f1 = gβ1 , f2 = gβ2 R← G and β1, β2, ξ1, ξ2

R← Z∗p.We also define the vector ~ϕ = ~f3 · (1, 1, g).

5. Choose (U, V ) R← G2 that, together with generators f1, f2, g ∈ G, will form a public encryp-tion key.

6. Select a strongly unforgeable one-time signature Σ = (G,S,V).

7. Set SGM :=(sk

(0)AHO, sk

(1)AHO

), SOA :=

(β1, β2

)as authorities’ private keys and the group

public key is

Y :=(g, pk

(0)AHO, pk

(1)AHO, ck = (g1, . . . , g`, g`+2, . . . , g2`), f , ~ϕ, (U, V ), Σ

).

Join(GM,Ui): the group manager and the prospective user Ui run the following interactive protocol[Juser(λ,Y), JGM(λ, St,Y,SGM)]:

1. Juser(λ,Y) draws x R← Zp and computes X = gx which is sent to JGM(λ, St,Y,SGM). IfX ∈ G already appears in some entry transcriptj of the database Sttrans, JGM halts andreturns ⊥ to Juser.

2. JGM assigns to Ui an available leaf v of identifier ID(v) in the tree T. Let x1, . . . , x` be thepath from x` = v to the root x1 = ε of T. Let also (I1, . . . , I`) = (ID(x1), . . . , ID(x`)) be thecorresponding vector of identifiers (with I1 = 1 and I` = ID(v) ∈ N, . . . , 2N − 1). Then,JGM does the following.

a. Compute a compact encoding of (I1, . . . , I`) as Cv =∏`κ=1 g

Iκ`+1−κ = gI1` · · · g

I`1 .

b. Using sk(0)AHO, generate an AHO signature σv = (θv,1, . . . , θv,7) on the pair (X,Cv) ∈ G2

so as to bind the encoded path Cv to the value X that identifies Ui.

3. JGM sends ID(v) ∈ N, . . . , 2N − 1 and Cv to Juser that halts if ID(v) 6∈ N, . . . , 2N − 1 orif Cv is found incorrect. Otherwise, Juser sends a signature sigi = Signusk[i]

(X||(I1, . . . , I`)

)to JGM.

4. JGM checks that Verifyupk[i]

((X||(I1, . . . , I`)), sigi

)= 1. If not JGM aborts. Otherwise, JGM

returns the AHO signature σv to Juser and stores transcripti = (X, ID(v), Cv, σv, sigi) in thedatabase Sttrans.

5. Juser defines the membership certificate as certi =(ID(v), X,Cv, σv

)∈ N, . . . , 2N−1×G9,

where X will serve as the tag identifying Ui. The membership secret seci is defined asseci = x ∈ Zp.

Revoke(Y,SGM, t,Rt): Parse SGM as SGM :=(sk

(0)AHO, sk

(1)AHO

)and do the following.

1. Using the subset covering algorithm of the SD method, find a cover of the unrevoked userset 1, . . . , N\Rt as the union of disjoint subsets of the form Sk1,u1 , . . . , Skm,um , wherem ≤ 2 · |Rt| − 1.

2. For i = 1 to m, do the following.

a. Consider the subset Ski,ui as the difference between sub-trees rooted at an internal nodexki and one of its descendants xui . Let φi, ψi ∈ 1, . . . , ` be the depths of xki and

11

xui , respectively, in T assuming that the root ε is at depth 1. Encode Ski,ui as a vector(gφi , g

ID(xki )

1 , gψi , gID(xui )

).

b. To authenticate Ski,ui and bind it to the revocation epoch t, use sk(1)AHO to generate an

AHO signature Θi = (Θi,1, . . . , Θi,7) ∈ G7 on Ri =(gt, gφi , g

ID(xki )

1 , gψi , gID(xui )

), where

the epoch number t is interpreted as an element of Zp.

Return the revocation data

RLt =(t, Rt, φi, ψi, ID(xki), ID(xui), Θi = (Θi,1, . . . , Θi,7)mi=1

). (4)

Sign(Y, t, RLt, certi, seci,M): return ⊥ if i ∈ Rt. Otherwise, to sign M ∈ 0, 1∗, generate aone-time signature key pair (SK,VK) ← G(λ). Parse certi as certi =

(ID(vi), X,Cvi , σvi

)∈

N, . . . , 2N − 1 ×G9 and seci as x ∈ Zp. Let ε = x1, . . . , x` = vi be the path connecting vi tothe root ε of T and let (I1, . . . , I`) = (ID(x1), . . . , ID(x`)) be the vector of node identifiers. First,Ui generates a commitment comCvi

to the encoding Cvi of the path (I1, . . . , I`) from vi to theroot. Then, he does the following.

1. Using RLt, find the set Skl,ul , with l ∈ 1, . . . ,m, that contains the leaf vi identified byID(vi). Let xkl and xul denote the primary and secondary roots of Skl,ul at depths φl and ψl,respectively. Since xkl is an ancestor of vi but xul is not, it must be the case that Iφl = ID(xkl)and Iψl 6= ID(xul).

2. To prove that vi belongs to Skl,ul without leaking l, Ui first re-randomizes the l-th AHO sig-

nature Θl of RLt as Θ′l,i7i=1 ← ReRand(pk(1)AHO, Θl). Then, he commits to the l-th revocation

message

Rl = (Rl,1, Rl,2, Rl,3, Rl,4, Rl,5) =(gt, gφl , g

ID(xkl )

1 , gψl , gID(xul )

)(5)

and its signatureΘ′l = (Θ′l,1, . . . , Θ′l,7) by computing Groth-Sahai commitments comRl,τ 5τ=2,

comΘ′l,jj∈1,2,5 to Rl,τ5τ=2 and Θ′l,jj∈1,2,5.

a. To prove that Iφl = ID(xkl), Ui first computes Wφl =∏`κ=1, κ 6=φl g

Iκ`+1−κ+φl

that satis-

fies the equality e(gφl , Cvi) = e(g1, g`)Iφl · e(g,Wφl). Then, Ui generates a Groth-Sahai

commitment comWφlto Wφl . He computes a NIWI proof that committed variables

(Rl,2, Rl,3, Cvi ,Wφl) satisfy

e(Rl,2, Cvi) = e(Rl,3, g`) · e(g,Wφl). (6)

We denote by πeq the proof for the quadratic equation (6), which requires 9 groupelements.

b. To prove that Iψl 6= ID(xul), Ui computes Wψl =∏`κ=1, κ 6=ψl g

Iκ`+1−κ+ψl

that satisfies the

equality e(gψl , Cvi) = e(g1, g`)Iψl · e(g,Wψl). Then, he computes a commitment comWψl

to Wψl as well as commitments comΓl and comΨl,τ τ∈0,1,2` to the group elements

(Γl, Ψl,0, Ψl,1, Ψl,2`) =(g1/(Iψl−ID(xul )), gIψl , g

Iψl1 , g

Iψl2`

).

12

Then, Ui provides evidence that committed variables (Rl,4, Rl,5, Cvi , Γl, Ψl,0, Ψl,1, Ψl,2`)satisfy

e(Rl,4, Cvi) = e(Ψl,1, g`) · e(g,Wψl), e(Ψl,0/Rl,5, Γl) = e(g, g) (7)

e(Ψl,1, g) = e(g1, Ψl,0), e(Ψl,2`, g) = e(g2`, Ψl,0). (8)

We denote this NIWI proof by πneq = (πneq,1, πneq,2, πneq,3, πneq,4). Since the first twoequations (7) are quadratic, πneq,1 and πneq,2 consist of 9 elements each. The last twoequations (8) are linear and both cost 3 elements to prove.

3. Ui provides evidence that the tuple Rl of (5) is a certified revocation message for epoch t:namely, he computes a NIWI proof πRl that committed message elements Rl,τ5τ=2 andsignature components Θ′l,jj∈1,2,5 satisfy the equations

A(1) · e(Θ′l,3, Θ′l,4)−1 · e(G(1)1 , gt)−1 = e(G(1)

z , Θ′l,1) · e(G(1)r , Θ′l,2) ·

5∏τ=2

e(G(1)τ , Rl,τ ), (9)

B(1) · e(Θ′l,6, Θ′l,7)−1 · e(H(1)1 , gt)−1 = e(H(1)

z , Θ′l,1) · e(H(1)r , Θ′l,5) ·

5∏τ=2

e(H(1)τ , Rl,τ ),

Since Θ′l,jj∈3,4,6,7 are constants, equations (9) are both linear and thus require 3 elementseach. Hence, πRl takes 6 elements altogether.

4. Let σvi = (θvi,1, . . . , θvi,7) be the AHO signature on the message (X,Cvi). Set θ′vi,j7j=1 ←

ReRand(pk(0)AHO, σvi) and generate commitments comθ′vi,j

j∈1,2,5 to θ′vi,jj∈1,2,5 as well

as a commitment comX to X. Then, generate a NIWI proof πσvi that committed variablessatisfy the verification equations

A(0) · e(θ′l,3, θ′l,4)−1 = e(G(0)z , θ′l,1) · e(G(0)

r , θ′l,2) · e(G(0)1 , X) · e(G(0)

2 , Cvi),

B(0) · e(θ′l,6, θ′l,7)−1 = e(H(0)z , θl,1) · e(H(0)

r , θ′l,5) · e(H(0)1 , X) · e(H(0)

2 , Cvi)

Since these equations are linear, πσvi requires 6 group elements.

5. Using VK as a tag (by first hashing it onto Zp in such a way that it can be interpreted as a

Zp element), compute a tag-based encryption [42] of X by drawing z1, z2R← Zp and setting

(Υ1, Υ2, Υ3, Υ4, Υ5) =(fz11 , fz22 , X · gz1+z2 , (gVK · U)z1 , (gVK · V )z2

).

6. Generate a NIZK proof that comX = (1, 1, X) · ~f1wX,1 · ~f2

wX,2 · ~f3wX,3

and (Υ1, Υ2, Υ3) areBBS encryptions of the same value X. If we write ~f3 = (f3,1, f3,2, f3,3), the Groth-Sahaicommitment comX can be written as (f

wX,11 · fwX,33,1 , f

wX,22 · fwX,33,2 , X · gwX,1+wX,2 · fwX,33,3 ), so

that we have

comX · (Υ1, Υ2, Υ3)−1 =(fχ1

1 · fχ33,1, f

χ22 · f

χ33,2, g

χ1+χ2 · fχ33,3

)(10)

with χ1 = wX,1 − z1, χ2 = wX,2 − z2, χ3 = wX,3. Compute comχj = ~ϕ χj · ~f1wχj,1 · ~f2

wχj,2 ,

with wχj ,1, wχj ,2R← Zp for j ∈ 1, 2, 3, as commitments to χj3j=1 and generates proofs

πeq-com,j3j=1 that χ1, χ2, χ3 satisfy the three linear relations (10). The proofs πeq-com,j3j=1

cost 2 elements each.

13

7. Compute a weak Boneh-Boyen signature σVK = g1/(x+VK) on VK and a commitment comσVK

to σVK. Then, generate a NIWI proof πσVK = (~πσVK,1, ~πσVK,2, ~πσVK,3) ∈ G9 that committedvariables (σVK, X) ∈ G2 satisfy the quadratic equation e(σVK, X · gVK) = e(g, g).

8. Compute σots = S(SK, (M,RLt, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π)) whereΩ = Θ′l,i, θ′l,ii∈3,4,6,7and

com =(comCvi

, comX , comRl,τ 5τ=2, comWφl

, comWψl, comΓl , comΨl,τ τ∈0,1,2`,

comΘ′l,jj∈1,2,5, comθ′l,j

j∈1,2,5, comχj3j=1, comσVK

)Π =

(πeq, πneq, πRl , πσvi , πeq-com,j

3j=1, , πσVK

)Return the signature σ =

(VK, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π, σots

).

Verify(σ,M, t, RLt,Y): parse σ as above. If V(VK, (M,RLt, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π), σots) = 0or if (Υ1, Υ2, Υ3, Υ4, Υ5) is not a well-formed tag-based encryption (that is, if e(Υ1, g

VK · U) 6=e(f1, Υ4) or e(Υ2, g

VK · V ) 6= e(f2, Υ5)), return 0. Then, return 1 if all proofs properly verify.Otherwise, return 0.

Open(M, t,RLt, σ,SOA,Y, St): parse σ as above and return ⊥ if Verify(σ,M, t, RLt,Y) = 0. Oth-

erwise, given SOA = (β1, β2), compute X = Υ3 · Υ−1/β11 · Υ−1/β2

2 . In the database Sttrans, find arecord 〈i, transcripti = (Xi, ID(vi), Cvi , σvi , sigi)〉 such that Xi = X. If no such record exists inSttrans, return ⊥. Otherwise, return i.

At first glance, the variable Ψl,2` and the proof of the second equality (8) may seem unnecessary instep 2.b of the signing algorithm. However, this element plays a crucial role when it comes to provethe security under the `-FlexDHE assumption. Indeed, the proof of security against misidentificationattacks (more precisely, the proof of Lemma 1 in Appendix B.1) ceases to go through if we removeΨl,2` and its corresponding proof.

As far as efficiency goes, each entry of RLt contains 7 group elements and two node identifiersof O(logN) bits each. If λG is the bitlength of a group element, we have logN λG/2 (sinceλ ≤ λG and N is polynomial), so that the number of bits of RLt is bounded by 2 · |Rt| · (7 · λG +2 logN + 2 log logN) < 2 · |Rt| · (9λG) bits. The size of RLt is thus bounded by that of 18 · |Rt|group elements.

Unlike [47], group members only need to store 9 group elements in their membership certificate.As far as the size of signature goes, com and Π require 66 and 60 group elements, respectively.If the one-time signature of [34] is used, VK and σots consist of 3 elements of G and 2 elementsof Zp, respectively. The global size σ amounts to that of 144 group elements, which is about 50%longer than [47]. In comparison with [35] (which does not natively support revocation), signaturesare only longer by a factor of 3. At the 128-bit security level, each group element should have a512-bit representation and a signature takes 9 kB.

Verifying signatures takes constant time. The signer has to compute at most 2` = O(logN)exponentiations to obtain Wφl and Wψl at the beginning of each revocation epoch. Note that theseexponentiations involve short exponents of O(logN) bits each. Hence, computing Wφl and Wψl

requires O(log2N) multiplications in G. For this reason, since we always have log2N λ (as long

as N 2λ1/2

), this cost is dominated by that of a single exponentiation in G.

3.2 Security

From a security point of view, we prove the following theorem in Appendix B.

14

Theorem 1. The scheme provides anonymity as well as security against misidentification andframing attacks if the SFP, FlexDHE, SDH and DLIN assumptions all hold in G.

In comparison with [47], the security proof requires the additional non-standard `-FlexDHE assump-tion, where ` = log(N). In Appendix C, we show how to rest on weaker (and fewer) intractabilityassumptions if we accept to use a group public key of size O(log2N) while keeping all other com-plexities unchanged. This construction offers an interesting tradeoff since, in some applications,group public keys of log-squared size are handier to work with than private keys of size O(log3N)as in [47].

Appendix C also explains how to also eliminate the SDH assumption using the technique ofMalkin et al. [48]. In this case, an additive factor of O(λ) appears in the group public key size be-cause a longer Groth-Sahai CRS must be used. On the other hand, the q-SFP assumption becomesthe only assumption of variable size.

4 Efficiency Comparisons

This section compares pairing-based revocable group signatures where group members are statelessand do not update their membership certificate whenever a revocation occurs. Comparisons aregiven in terms of computational costs and the size (measured by the number of group elements)of public keys, signatures, membership certificates and revocation lists as functions of N , r and, insome cases, the number T of revocation epochs. By “constant”, we thus mean that the complexityonly depends on the security parameter λ.

Table 1. Comparison between pairing-based revocable group signatures

Schemes Group public Signature Membership Revocation Signature Verification Revocation Standardkey size size certificate size list size cost cost cost model?

NFHF1 [49] O(N) O(1) O(1) O(r) O(1) O(1) O(r) 7

NFHF2 [49] O(N1/2) O(1) O(1) O(r) O(1) O(1) O(r) 7

BS [17] O(1) O(1) O(1) O(r) O(1) O(r) O(1) 7

NF [50] O(T )♦ O(1) O(1) O(r) O(1) O(r) O(r) 7

LV [45] O(T )♦ O(1) O(1) O(r) O(1) O(r) O(r) XLPY1 (SD) O(logN) O(1) O(log3 N) O(r) O(logN)† O(1) O(r · logN) XLPY2 (CS) O(1) O(1) O(logN) O(r · log(N/r)) O(1) O(1) O(r · log(N/r)) XThis work O(logN) O(1) O(1) O(r) O(1) O(1) O(r) X

N : max. number of users; r: number of revocations T : max. number of revocation epochs

♦ These schemes can be modified to have O(1)-size group public keys.† This complexity is only involved at the first signature of each revocation epoch.

As previously mentioned, among schemes where revocations require no update in unrevokedusers’ credentials, the new method seems asymptotically optimal. The only dependency on Nappears in the group public key size, which is logarithmic and thus quite moderate. At the sametime, it retains revocation lists of size O(r) (which is on par with the VLR-based approach [17] butwithout its verification cost of O(r)) as in the SD method of [47]. In comparison with the latter,we also eliminate the O(logN) multiplicative factor in the revocation cost and the complexity ofthe signing algorithm in the worst case.

15

The joining protocol is also much more efficient in our scheme than in [47] as the group managerhas to generate only one structure-preserving signature (computing Cv in step 2.a of the protocolis actually cheaper than a single exponentiation in G), instead of log(N) in the two schemes of [47].

In Appendix C, we give tradeoffs between the strength of the assumption and the efficiency: inthese alternative constructions, the assumption is weakened at the expense of group public keys ofsize O(log2N) or O(λ+ log2N).

References

1. M. Abe, K. Haralambiev, M. Ohkubo. Signing on Elements in Bilinear Groups for Modular Protocol Design.Cryptology ePrint Archive: Report 2010/133, 2010.

2. M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo. Structure-Preserving Signatures and Commit-ments to Group Elements. In Crypto’10, LNCS 6223, pp. 209–236, 2010.

3. M. Abe, J. Groth, K. Haralambiev, M. Ohkubo. Optimal Structure-Preserving Signatures in Asymmetric BilinearGroups. In Crypto’11, LNCS 6841, pp. 649–666, 2011.

4. T. Acar, L. Nguyen. Revocation for Delegatable Anonymous Credentials. In PKC’11, LNCS 6571, pp. 423–440,2011.

5. G. Ateniese, J. Camenisch, S. Hohenberger, B. de Medeiros. Practical group signatures without random oracles.Cryptology ePrint Archive: Report 2005/385, 2005.

6. G. Ateniese, J. Camenisch, M. Joye, G. Tsudik. A practical and provably secure coalition-resistant group signaturescheme. In Crypto’00, LNCS 1880, pp. 255–270, 2000.

7. G. Ateniese, D. Song, G. Tsudik. Quasi-Efficient Revocation in Group Signatures. In Financial Cryptography’02,LNCS 2357, pp. 183–197, 2002.

8. M. Bellare, D. Micciancio, B. Warinschi. Foundations of group signatures: Formal definitions, simplified require-ments, and a construction based on general assumptions. In Eurocrypt’03, LNCS 2656, pp. 614–629, 2003.

9. M. Bellare, P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In 1stACM Conference on Computer and Communications Security, pp. 62–73, ACM Press, 1993.

10. M. Bellare, H. Shi, C. Zhang. Foundations of group signatures: The case of dynamic groups. In CT-RSA’05,LNCS 3376, pp. 136–153, 2005.

11. J. Benaloh, M. de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Sinatures. In Euro-crypt’93, LNCS 4948, pp. 274–285, 1993.

12. D. Boneh, X. Boyen. Short Signatures Without Random Oracles. In Eurocrypt’04, LNCS 3027, pp. 56–73.Springer-Verlag, 2004.

13. D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext. In Euro-crypt’05, LNCS 3494, pp. 440–456, 2005.

14. D. Boneh, X. Boyen, H. Shacham. Short Group Signatures. In Crypto’04, LNCS 3152, pp. 41–55. Springer, 2004.15. D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3):586–

615, 2003. Extended abstract in Crypto’01, LNCS 2139, pp. 213–229, 2001.16. D. Boneh, C. Gentry and B. Waters. Collusion-Resistant Broadcast Encryption with Short Ciphertexts and

Private Keys. In Crypto’05, LNCS 3621, pp. 258–275, 2005.17. D. Boneh, H. Shacham. Group signatures with verifier-local revocation. In ACM-CCS’04, pp. 168–177. ACM

Press, 2004.18. X. Boyen, B. Waters. Compact Group Signatures Without Random Oracles. In Eurocrypt’06, LNCS 4004, pp.

427–444, Springer, 2006.19. X. Boyen, B. Waters. Full-Domain Subgroup Hiding and Constant-Size Group Signatures. In PKC’07, LNCS

4450, pp. 1–15, 2007.20. E. Bresson, J. Stern. Efficient Revocation in Group Signatures. In PKC’01, LNCS 1992, pp. 190–206, 2001.21. E. Brickell. An efficient protocol for anonymously providing assurance of the container of the private key. Sub-

mission to the Trusted Computing Group. April, 2003.22. E. Brickell, J. Camenisch, L. Chen. Direct Anonymous Attestation. In ACM-CCS’04, pp. 132–145, 2004.23. J. Camenisch, R. Chaabouni, a. shelat. Efficient Protocols for Set Membership and Range Proofs. In Asiacrypt’08,

LNCS 5350, pp. 234–252, Springer, 2008.24. J. Camenisch, M. Kohlweiss, C. Soriente. An Accumulator Based on Bilinear Maps and Efficient Revocation for

Anonymous Credentials. In PKC’09, LNCS 5443, pp. 481–500, 2009.

16

25. J. Camenisch, M. Kohlweiss, C. Soriente. Solving Revocation with Efficient Update of Anonymous Credentials.In SCN’10, LNCS 6280, pp. 454–471, 2010.

26. J. Camenisch, A. Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of AnonymousCredentials. In Crypto’02, LNCS 2442, pp. 61–76, Springer, 2002.

27. D. Catalano, D. Fiore. Concise Vector Commitments and their Applications to Zero-Knowledge ElementaryDatabases. In Cryptology ePrint Archive: Report 2011/495, 2011.

28. J. Cathalo, B. Libert, M. Yung. Group Encryption: Non-Interactive Realization in the Standard Model. InAsiacrypt’09, LNCS 5912, pp. 179–196, 2009.

29. D. Chaum, E. van Heyst. Group Signatures. In Eurocrypt’91, LNCS 547, pp. 257–265, Springer, 1991.30. C. Delerablee, D. Pointcheval. Dynamic Fully Anonymous Short Group Signatures. In Vietcrypt’06, LNCS 4341,

pp. 193–210, Springer, 2006.31. Y. Dodis, N. Fazio. Public Key Broadcast Encryption for Stateless Receivers. In Digital Rights Management

(DRM’02), LNCS 2696, pp. 61–80, 2002.32. G. Fuchsbauer. Automorphic Signatures in Bilinear Groups and an Application to Round-Optimal Blind Signa-

tures. Cryptology ePrint Archive: Report 2009/320, 2009.33. C. Gentry, A. Silverberg. Hierarchical ID-based cryptography. In Asiacrypt’02, LNCS 2501, Springer, 2002.34. J. Groth. Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures. In

Asiacrypt’06, LNCS 4284, pp. 444–459, Springer, 2006.35. J. Groth. Fully anonymous group signatures without random oracles. In Asiacrypt 2007, LNCS 4833, pp.

164–180. Springer, 2007.36. J. Groth, A. Sahai. Efficient non-interactive proof systems for bilinear groups. In Eurocrypt’08, LNCS 4965, pp.

415–432, 2008.37. D. Halevy, A. Shamir. The LSD broadcast encryption scheme. In Crypto’02, LNCS 2442, pp. 47–60, Springer,

2002.38. J. Horwitz, B. Lynn. Toward hierarchical identity-based encryption. In Eurocrypt’02, LNCS 2332, Springer, 2002.39. M. Izabachene, B. Libert, D. Vergnaud. Blockwise P-Signatures and Non-Interactive Anonymous Credentials

with Efficient Attributes. 13th IMA International Conference on Cryptography and Coding (IMACC 2011), pp.431–450, Springer, 2011.

40. A. Kiayias, M. Yung. Secure scalable group signature with dynamic joins and separable authorities. InternationalJournal of Security and Networks (IJSN) Vol. 1, No. 1/2, pp. 24–45, 2006. Earlier version appeared as CryptologyePrint Archive: Report 2004/076, 2004.

41. A. Kiayias, M. Yung. Group signatures with efficient concurrent join. In Eurocrypt’05, LNCS 3494, pp. 198–214,2005.

42. E. Kiltz. Chosen-ciphertext security from tag-based encryption. In TCC’06, LNCS 3876, pp. 581–600, 2006.43. S. Kunz-Jacques and D. Pointcheval. About the security of MTI/C0 and MQV. In SCN’06, LNCS 4116, pages

156–172, 2006.44. F. Laguillaumie, P. Paillier, D. Vergnaud. Universally Convertible Directed Signatures. In Asiacrypt’05, LNCS

3788, pp. 682–701, 2005.45. B. Libert, D. Vergnaud. Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the

Standard Model. In CANS’09, LNCS 5888, pp. 498-517, 2009.46. B. Libert and M. Yung. Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with

Short Proofs. In TCC’10, LNCS 5978, pp. 499–517, 2010.47. B. Libert, T. Peters and M. Yung. Scalable Group Signatures with Revocation. In Eurocrypt’12, LNCS series,

to appear, 2012.48. T. Malkin, I. Teranishi, Y. Vahlis, M. Yung. Signatures resilient to continual leakage on memory and

computation. In TCC’11, LNCS 6597, pp. 89–106, 2011.49. T. Nakanishi, H. Fujii, Y. Hira, N. Funabiki. Revocable Group Signature Schemes with Constant Costs for

Signing and Verifying. In PKC’09, LNCS 5443, pp. 463–480, 2009.50. T. Nakanishi, N. Funabiki. Verifier-Local Revocation Group Signature Schemes with Backward Unlinkability

from Bilinear Maps. In Asiacrypt’05, LNCS 5443, pp. 533–548, 2009.51. M. Naor, D. Naor, J. Lotspiech. Revocation and Tracing Schemes for Stateless Receivers. In Crypto’01, LNCS

2139, pp. 41–62, 2001.52. M. Naor. On Cryptographic Assumptions and Challenges. In Crypto’03, LNCS 2729, pp. 96–109. Springer-Verlag,

2003.53. L. Nguyen. Accumulators from Bilinear Pairings and Applications. In CT-RSA’05, LNCS 3376, pp. 275–292,

2005.

17

54. L. Nguyen, R. Safavi-Naini. Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from BilinearPairings. In Asiacrypt’04, LNCS 3329, pp. 372–386. Springer-Verlag, 2004.

55. V. Shoup. Lower bounds for discrete logarithms and related problems. In Eurocrypt’97, LNCS 1233, pp. 256–66,1997.

56. D. Song. Practical forward secure group signature schemes. In ACM-CCS’01, pp. 225–234, 2001.

57. P. Tsang, M.-Ho Au, A. Kapadia, S. Smith. Blacklistable anonymous credentials: blocking misbehaving userswithout TTPs. In ACM-CCS’07, pp. 72–81, 2007.

58. P. Tsang, M.-Ho Au, A. Kapadia, S. Smith. PEREA: towards practical TTP-free revocation in anonymousauthentication. In ACM-CCS’08, pp. 333–344, 2008.

59. G. Tsudik, S. Xu. Accumulating Composites and Improved Group Signing. In Asiacrypt’03, LNCS 2894, pp.269–286, 2003.

60. B. Waters. Efficient identity-based encryption without random oracles. In Eurocrypt 2005, LNCS 2567. Springer,2005.

61. S. Zhou, D. Lin. Shorter Verifier-Local Revocation Group Signatures from Bilinear Maps. In CANS’06, LNCS4301, pp. 126–143, Springer, 2006.

A Correctness and Security Definitions for Revocable Group Signatures

In the following, as in [40], we say that a public state St is valid if it is reachable from St = (∅, ε)by a Turing machine having oracle access to JGM. Also, a state St′ is said to extend another stateSt if it is within reach from St.

As in [40, 41], when we write certi Y seci, it means that there exist coin tosses $ for JGM andJuser such that, for some valid public state St′, the execution of [Juser(λ,Y), JGM(λ, St′,Y,SGM)]($)provides Juser with 〈i, seci, certi〉.

Correctness. A R-GS scheme is correct if the following conditions are all satisfied:

1. In a valid state St, it always holds that |Stusers| = |Sttrans| and two distinct entries of Sttransalways contain certificates with distinct tag.

2. If the protocol [Juser(λ,Y), JGM(λ, St,Y,SGM)] is run by two honest parties and 〈i, certi, seci〉 isobtained by Juser, then it holds that certi Y seci.

3. For each revocation epoch t and any 〈i, certi, seci〉 such that certi Y seci, satisfying condition2, if i 6∈ Rt, it always holds that Verify

(Sign(Y, t, RLt, certi, seci,M),M, t, RLt,Y

)= 1.

4. For any outcome 〈i, certi, seci〉 of the interaction [Juser(., .), JGM(., St, ., .)] for some valid stateSt, any revocation epoch t such that i 6∈ Rt, if σ = Sign(Y, t, RLt, certi, seci,M), then

Open(M, t,RLt, σ,SOA,Y, St′) = i.

Security Model. As in [40], we formalize security properties via experiments where the adversaryinteracts with a stateful interface I that maintains the following variables:

- stateI : is a data structure representing the state of the interface as the adversary invokes thevarious oracles. It is initialized as stateI = (St,Y,SGM,SOA) ← Setup(λ,N). It includes the(initially empty) set Stusers of group members and a dynamically growing database Sttransstoring the transcripts of previously executed join protocols. Finally, stateI includes a countert (which is initialized to 0) indicating the number of user revocation queries so far.

- n = |Stusers| < N denotes the current cardinality of the group.

- Sigs: is a database of signatures created by the signing oracle. Each entry consists of a triple(i, t,M, σ) indicating that message M was signed by user i at epoch t.

18

- Ua: is the set of users that were introduced by the adversary in the system in an execution ofthe join protocol.

- U b: is the set of honest users that the adversary, acting as a dishonest group manager, introducedin the system. For these users, the adversary obtains the transcript of the join protocol but notthe user’s membership secret.

When mounting attacks, adversaries will be granted access to the following oracles.

- Qpub, QkeyGM and QkeyOA: when these oracles are invoked, the interface looks up stateI andreturns the group public key Y, the GM’s private key SGM and the opening authority’s privatekey SOA respectively.

- Qa-join: allows the adversary to introduce users under his control in the group. On behalf ofthe GM, the interface runs JGM in interaction with the Juser-executing adversary who plays therole of the prospective user in the join protocol. If this protocol successfully ends, the interfaceincrements N , updates St by inserting the new user n in both sets Stusers and Ua. It also setsSttrans := Sttrans||〈n, transcriptn〉.

- Qb-join: allows the adversary, acting as a corrupted group manager, to introduce new honestgroup members of his choice. The interface triggers an execution of [Juser, JGM] and runs Juserin interaction with the adversary who runs JGM. If the protocol successfully completes, theinterface increments n, adds user n to Stusers and U b and sets Sttrans := Sttrans||〈n, transcriptn〉.It stores the membership certificate certn and the membership secret secn in a private part ofstateI .

- Qsig: given a message M , an index i, the interface checks if the private area of stateI contains acertificate certi and a membership secret seci such that i 6∈ Rt, where t is the current revocationepoch. If no such elements (certi, seci) exist or if i 6∈ U b, the interface returns ⊥. Otherwise, itoutputs a signature σ on behalf of user i for epoch t and also sets Sigs← Sigs||(i, t,M, σ).

- Qopen: when this oracle is invoked on input of a valid pair (M,σ) for some revocation epocht, the interface runs algorithm Open using the current state St. When S is a set of triples ofthe form (M,σ, t), Q¬Sopen denotes a restricted oracle that only applies the opening algorithm totriples (M,σ, t) which are not in S.

- Qread and Qwrite: are used by the adversary to read and write the content of stateI . Namely,at each invocation, Qread outputs the whole stateI but the public/private keys and the privatepart of stateI where membership secrets are stored after Qb-join-queries. By using Qwrite, theadversary can modify stateI at will as long as it does not remove or alter elements of Stusers,Sttrans or invalidate the public state St: for example, the adversary is allowed to create dummyusers as long as it does not re-use already existing certificate tags.

- Qrevoke: is a revocation oracle. Given an index i such that i ∈ Stusers, the interface checks ifi appears in the appropriate user set (namely, Ua or U b depending on the considered securitynotion) and if the database Sttrans contains a record 〈i, transcripti〉 such that i 6∈ Rt, where tis the current revocation epoch. If not, it returns ⊥. Otherwise, it increments t, adds i to Rtand generates an updated revocation list RLt which is made available to the adversary. Forsimplicity, we assumed that the adversary only revokes one user per query to Qrevoke but themodel easily extends to allow multiple revocations at once.

The Kiayias-Yung model considers properties called security against misidentification attacks, fram-ing attacks and anonymity.

In a misidentification attack, the adversary can corrupt the opening authority using the QkeyOA

19

oracle. Moreover, he can also introduce malicious users in the group via Qa-join-queries and re-voke users at any time using Qrevoke. His purpose is to come up with a signature σ? that verifiesw.r.t. RLt? , where t? denotes the current revocation epoch (i.e., the number of Qrevoke-queries). Heis deemed successful if the produced signature σ? does not open to any unrevoked adversarially-controlled.

Definition 6. A R-GS scheme is secure against misidentification attacks if, for any PPT adversaryA involved in the experiment hereafter, we have Advmis-id

A (λ) = Pr[Exptmis-idA (λ) = 1] ∈ negl(λ).

Experiment Exptmis-idA (λ)

stateI = (St,Y,SGM,SOA)← Setup(λ,N);(M?, σ?)← A(Qpub, Qa-join, Qrevoke, Qread, QkeyOA);If Verify(σ?,M, t?, RLt? ,Y) = 0 return 0;i = Open(M?, t?, RLt? , σ

?,SOA,Y, St′);If (i 6∈ Ua\Rt?) return 1;Return 0;

This definition extends the usual definition [40] in that A also wins if his forgery σ? verifies w.r.t.RLt? but opens to an adversarially-controlled user that was revoked during the revocation epocht?.

Framing attacks consider the situation where the entire system, including the group managerand the opening authority, is colluding against some honest user. The adversary can corrupt thegroup manager as well as the opening authority (via oracles QkeyGM and QkeyOA, respectively). Heis also allowed to introduce honest group members (via Qb-join-queries), observe the system whilethese users sign messages and create dummy users using Qwrite. In addition, before the possiblecorruption of the group manager, the adversary can revoke group members at any time by invokingthe Qrevoke oracle. As a potentially corrupted group manager, A is allowed to come up with his ownrevocation list RLt? at the end of the game. We assume that anyone can publicly verify that RLt?

is correctly formed (i.e., that it could be a legitimate output of Revoke) so that the adversary doesnot come up with an ill-formed revocation list. For consistency, if A chooses not to corrupt the GM,the produced revocation list RLt? must be the one determined by the history of Qrevoke-queries.The adversary eventually aims at framing an honest group member.

Definition 7. A R-GS scheme is secure against framing attacks if, for any PPT adversary A, itholds that Advfra

A (λ) = Pr[ExptfraA (λ) = 1] ∈ negl(λ).

Experiment ExptfraA (λ)

stateI = (St,Y,SGM,SOA)← Setup(λ,N);(M?, σ?, t?, RLt?)← A(Qpub, QkeyGM, QkeyOA, Qb-join, Qrevoke, Qsig, Qread, Qwrite);If Verify(σ?,M?, t?, RLt? ,Y) = 0 then return 0;i = Open(M?, t?, RLt? , σ

?,SOA,Y, St′);If i 6∈ U b return 0;If(∧

j∈Ub s.t. j=i (j, t?,M?, ∗) 6∈ Sigs)

then return 1;

Return 0;

The notion of anonymity is formalized by means of a game involving a two-stage adversary. Inthe following, we assume that, from a given valid membership certificate/secret pair (cert, sec) anda given revocation list RLt, it is easy to decide if (cert, sec) belongs to a revoked user for RLt.More precisely, there must exist an efficient algorithm IsRevoked that takes as input (sec, cert, RLt)

20

and returns 1 if the pair (sec, cert) is not the key material of an unrevoked user for RLt (such analgorithm obviously exists in our construction).

The first stage of the game is called play stage and allows the adversary A to modify stateIvia Qwrite-queries and to open arbitrary signatures by probing Qopen. When the play stage ends,the adversary A chooses a message-period pair (M?, t?), a revocation list RLt? as well as two pairs(sec?0, cert

?0), (sec?1, cert

?1), consisting of a valid membership certificate and a corresponding member-

ship secret satisfying IsRevoked(sec?b , cert?b , RLt?) = 0 for each b ∈ 0, 1. Then, the challenger flips

a coin d R← 0, 1 and computes a challenge signature σ? using (sec?d, cert?d). The adversary is given

σ? with the task of eventually guessing the bit d ∈ 0, 1. Before doing so, he is allowed furtheroracle queries throughout the second stage, called guess stage, but is restricted not to query Qopen

for (M?, σ?, t?).

Definition 8. A R-GS scheme is fully anonymous if Advanon(A) := |Pr[ExptanonA (λ) = 1]− 1/2|

is negligible for any PPT adversary A involved in the following experiment:

Experiment ExptanonA (λ)

stateI = (St,Y,SGM,SOA)← Setup(λ);(aux,M?, t?, RLt? , (sec

?0, cert

?0), (sec?1, cert

?1))

← A(play : Qpub, QkeyGM, Qrevoke, Qopen, Qread, Qwrite);If ¬(certb Y secb) or IsRevoked(sec?b , cert

?b , RLt?) = 1 for b ∈ 0, 1

or if cert?0 = cert?1 return 0;

d R← 0, 1; σ? ← Sign(Y, t?, cert?d, sec?d,M?);

d′ ← A(guess : σ?, aux,Qpub, QkeyGM, Q¬(M?,σ?,t?)open , Qread, Qwrite);

If d′ = d then return 1;Return 0;

B Security Proofs

B.1 Security Against Misidentification Attacks

Theorem 2 (Misidentification). The scheme is secure against misidentification attacks assum-ing that the q-SFP and the `-FlexDHE problems are both hard for q = max(qa, q

2r ) and ` = logN ,

where qa and qr denote the maximal numbers of Qa-join queries and Qrevoke queries, respectively,and N is the maximal number of group members.

Proof. Towards a contradiction, let us assume that the adversary A outputs a non-trivial signaturethat does not open to an unrevoked adversarially-controlled group member.

Let σ? =(VK?, Υ ?1 , Υ

?2 , Υ

?3 , Υ

?4 , Υ

?5 , Ω

?, com?,Π?, σ?ots)

denote A’s forgery and parse com? as

com? =(com?

Cvi, com?

X , com?Rl,τ5τ=2, com

?Wφl

, com?Wψl

, com?Γl,

com?Ψl,ττ∈0,1,2`, com?

Θ′l,jj∈1,2,5, com?

θ′l,jj∈1,2,5, com?

χj3j=1, com

?σVK

)We thus have Open(M?, t?, RLt? , σ

?,SOA,Y, St) 6∈ Ua\Rt? , where Ua denotes the set of adversarially-controlled users. Depending on the contents of extractable commitments com?

X , com?Cvi

, com?Rl,τ5τ=2,

com?Ψl,τi∈0,1,2`, com?

Wφl, com?

Wψl, com?

Γl, we distinguish the following cases:

- Type I forgeries are those for which com?Rl,τ5τ=2 contain group elements (R?l,2, . . . , R

?l,5) such

that (gt?, R?l,2, . . . , R

?l,5) was never signed when the latest revocation list RLt? was generated.

21

- Type II forgeries are such that com?Rl,τ5τ=2 contain group elements (R?l,2, . . . , R

?l,5) for which

the message (gt?, R?l,2, . . . , R

?l,5) was signed when the latest revocation list RLt? was publicized

at epoch t?. At the same time, Open uncovers a user’s tag X? for which one of the followingtwo situations occurs:

a. The pair (X?, C?vi) was not signed using sk(0)AHO.

b. (X?, C?vi) was signed when answering some Qa-join-query. However, C?vi encodes the path(I?1 , . . . , I

?` ) of a leaf v?i assigned to a revoked user i? even though the forgery σ? provides

convincing evidence that the committed values C?vi , (R?l,2, R?l,3, R

?l,4, R

?l,5), (Ψ?l,0, Ψ

?l,1, Ψ

?l,2`)

and (Γ ?l ,W?φl,W ?

ψl) satisfy the relations

e(R?l,2, C?vi) = e(R?l,3, g`) · e(g,W ?

φl), (11)

and

e(R?l,4, C?vi) = e(Ψ?l,1, g`) · e(g,W ?

ψl) (12)

e(Ψ?l,0/R?l,5, Γ

?l ) = e(g, g) (13)

e(Ψ?l,1, g) = e(g1, Ψ?l,0) (14)

e(Ψ?l,2`, g) = e(g2`, Ψ?l,0). (15)

It is immediate that Type I and Type II.a forgeries imply a forger against the AHO signaturescheme and the proof is omitted.

Lemma 1 demonstrates that a Type II.b forgery necessarily contradicts the `-FlexDHE as-sumption. This completes the proof since σ? cannot constitute a successful misidentification attackwithout being a Type I or a Type II forgery. ut

Lemma 1. The advantage of any Type II.b forger A is at most

Advmis-id-II.bA (λ) ≤ Adv`-FlexDHE(λ)

where ` = logN and N denotes the maximal number of users.

Proof. The reduction B takes as input a `-FlexDHE instance (g, g1, . . . , g`, g`+2, . . . , g2`) ∈ G2`.To generate the group public key Y it follows exactly the specification of the Setup algorithmwith the difference that, instead of computing ck as per step 3 of the algorithm, it defines ck =

(g1, . . . , g`, g`+2, . . . , g2`) ∈ G2`−1 using its input and gives Y :=(g, pk

(0)AHO, pk

(1)AHO, ck, f , ~ϕ, (U, V ), Σ

)to the Type II.b forger A.

Throughout the game, the adversary can adaptively invoke the Qpub, Qa-join, Qrevoke, Qread, and

QkeyOA oracles. Since B knows SGM = (sk(0)AHO, sk

(1)AHO) and SOA = (β1, β2), it can faithfully answer

all adversarial queries. The game ends with the adversary outputting a forgery σ? for which thecommitted variables C?vi , (R?l,2, R

?l,3, R

?l,4, R

?l,5), (Ψ?l,0, Ψ

?l,1, Ψ

?l,2`) and (Γ ?l ,W

?φl,W ?

ψl) satisfy relations

(11)-(15) although σ? opens to some user i? ∈ Ua ∩Rt? .Note that (R?l,1, R

?l,2, R

?l,3, R

?l,4, R

?l,5) must be of the form

(R?l,1, R?l,2, R

?l,3, R

?l,4, R

?l,5) =

(gt?, gφl , g

ID(x?kl)

1 , gψl , gID(x?kl

)), (16)

for some φl, ψl ∈ 1, . . . , ` and some ID(x?kl), ID(x?ul) ∈ 1, . . . , 2N − 1 that B knows for havingchosen them itself at the latest Qrevoke-query. By hypothesis, σ? contains a committed pair (X?, C?vi)

22

that was signed by B at some Qa-join-query. Then, B recalls (I?1 , . . . , I?` ) such that C?vi =

∏`κ=1 g

I?κ`+1−κ

from its interaction with A at that Qa-join-query. Since i? ∈ Ua ∩Rt? , it must hold that either:

- I?φl 6= ID(x?kl): In this case, relations (16) and (11) imply that

e(gφl , C?vi) = e(g1, g`)

ID(x?kl) · e(g,W ?

φl) (17)

for values φl ∈ 1, . . . , ` and ID(xkl)? ∈ 1, . . . , 2N − 1 that are available to B. Since it also

knows (I?1 , . . . , I?` ) such that C?vi =

∏`κ=1 g

I?κ`+1−κ, it can compute W ′ =

∏`κ=1, κ 6=φl g

I?κ`+1−κ+φl

which satisfies

e(gφl , C?vi) = e(g1, g`)

I?φl · e(g,W ′). (18)

By combining (17) and (18), we find that g`+1 =(W ?φl/W ′

)1/(I?φl−ID(x?kl))

is computable by Band it solves an instance the `-DHE problem (which is not easier than `-FlexDHE).

- I?ψl = ID(x?ul): In this situation, if we define % = logg1(Ψ?l,1), relations (16) and (12)-(15) implythat

e(gψl , C?vi) = e(g1, g`)

% · e(g,W ?ψl

) (19)

g%−I?ψl 6= 1G (20)

Ψ?l,0 = g% (21)

Ψ?l,2` = g%2` (22)

Also, similarly to the previous case, B can compute W ′ =∏`κ=1, κ 6=ψl g

I?κ`+1−κ+ψl

such that

e(gψl , C?vi) = e(g1, g`)

I?ψl · e(g,W ′). (23)

If we divide (19) by (23), we obtain the equality e(g1, g`)%−I?ψl = e(g,W ′/W ?

φl), so thatW ′/W ?

φl=

g%−I?ψl`+1 . The triple(

Ψ?l,0 · g−I?ψl , W ′/W ?

φl, Ψ?l,2` · g

−I?ψl2`

)=(g%−I?ψl , g

%−I?ψl`+1 , g

%−I?ψl2`

)thus forms a non-trivial solution to the `-FlexDHE problem.

In either case, we observe that B solves either the given `-FlexDHE instance or the potentiallyharder `-DHE problem. ut

B.2 Security Against Framing Attacks

The security against framing attacks relies on the SDH assumption and the security of the one-timesignature.

Theorem 3 (Non-frameability). The scheme is secure against framing attacks assuming that:(i) the qb-SDH assumption holds in G, where qb is the maximal number of Qb-join-queries; (ii) Σ isa strongly unforgeable one-time signature.

23

Proof. As in [35], we consider two kinds of framing attacks that can be possibly mounted by anon-frameability adversary A.

- Type I attacks: A generates a forgery σ? =(VK?, Υ ?1 , Υ

?2 , Υ

?3 , Υ

?4 , Υ

?5 , Ω


forwhich the one-time verification key VK? was used by some honest group member i ∈ U b whenanswering a Qsig-query.

- Type II attacks: A outputs a forgery σ? =(VK?, Υ ?1 , Υ

?2 , Υ

?3 , Υ

?4 , Υ

?5 , Ω


forwhich the one-time verification key VK? was never used by Qsig to answer a signing query onbehalf of an honest user i ∈ U b.

Type I attacks clearly defeat the security of the one-time signature. Lemma 2 shows that a TypeII forgery would contradict the Strong Diffie-Hellman assumption. ut

Lemma 2. The scheme is secure against framing attacks of Type II if the qs-SDH problem is hard.More precisely, the advantage of any adversary after qs Qsig-queries and qb Qb-join-queries is atmost Advfra-II(λ) ≤ qb ·Advqs-SDH(λ).

Proof. Let us assume that a PPT adversary A comes up with a forgery (M?, σ?) that opens tosome honest user i ∈ U b who did not issue a signature containing the verification key VK?. Thesame proof as in [35] shows that the Strong Diffie-Hellman assumption can be broken.

Given a q-SDH instance (g, ga, . . . , g(aqs )) ∈ Gqs+1, the reduction B generates a set of qs one-timesignature keys pairs (SKi,VKi) ← G(λ) for i = 1 to qs. Then, using the Boneh-Boyen techniques(see [12][Lemma 3.2]) it builds a generator g and a randomly distributed public value X† = ga –which implicitly defines x† = logg(X

†) = a – such that it knows (g1/(a+VKi),VKi)qsi=1.

Next, using the newly generated g, B generates key pairs (sk(b)AHO, pk

(b)AHO)b=0,1 for the AHO

signature (note that group elements of pk(b)AHOb=0,1 are computed as powers of g) and uses

pk(0)AHO, pk

(1)AHO to form the group public key

Y :=(g, pk

(0)AHO, pk

(1)AHO, ck, f , ~ϕ, (U, V ), Σ

).

The underlying Groth-Sahai CRS f = (~f1, ~f2, ~f3) is generated for the perfect soundness setting,

i.e., with ~f1 = (f1 = gβ1 , 1, g), ~f2 = (1, f2 = gβ2 , g) and ~f3 = ~f1ξ1 · ~f2

ξ2, where ξ1, ξ2

R← Z∗p.If the adversary A decides to corrupt the group manager or the opening authority during the

game, B can reveal SGM = (sk(0)AHO, sk

(1)AHO) and SOA = (β1, β2) = (logg(f1), logg(f2)). At the outset

of the game, B picks a random j? R← 1, . . . , qb and interacts with the Type II forger A as follows.

- QkeyGM-queries: if A decides to corrupt the group manager, B surrenders SGM = (sk(0)AHO, sk

(1)AHO).

- Qb-join-queries: when A, acting as a corrupted group manager, decides to introduce a new honestuser i in the group, B starts interacting with A in an execution of Join and runs Juser on behalf ofthe honest user. The actions taken by B depend on the index j ∈ 1, . . . , qb of the Qb-join-query.

- If j 6= j?, B follows exactly the specification of Juser.- If j = j?, B sends the value X† to JGM at step 1 of Join. User j?’s membership secret is

implicitly defined to be the unknown exponent secj? = a of the q-SDH instance. In steps2-5 of the join protocol, B proceeds like the real Juser algorithm . When Join terminates, Bobtains a membership certificate certj? =

(ID(v?), X†, Cv? , σv?

).

24

- Qpub-queries: can be treated as in the real game, by having the simulator return Y.- Qsig-queries: when the adversary A asks user i ∈ U b to sign a message M , B can answer the

query by running the real signature generation algorithm if i 6= j?. Otherwise (namely, if i = j?),B uses the next available pair (g1/(a+VKi),VKi)qsi=1 to define σVKi = g1/(a+VKi). It also recallsuser j?’s membership certificate certj? =

(ID(v?), X†, Cv? , σv?

)that it obtained from the JGM-

executing adversary at the j?-th Qb-join-query. Using σVKi and certj? , it can easily generate allsignature components and sign them using the one-time private key SKi.

Finally, A outputs a signature σ? =(VK?, Υ ?1 , Υ

?2 , Υ

?3 , Υ

?4 , Υ

?5 , Ω

?, com?,Π?, σ?ots), for some message

M?, that opens to some user i? ∈ U b who did not sign M?. At this point, B halts and reportsfailure if it turns out that X† 6= Υ ?3 · Υ ?1 −1/β1 · Υ ?2 −1/β2 since, in this case, it was unfortunatewhen drawing the random index j?. Still, with probability 1/qb, the signature σ? opens to the userintroduced at the j?-th Qb-join-query and (Υ ?1 , Υ

?2 , Υ

?3 ) does decrypt to X?. In this situation, the

perfect soundness of the proof system ensures that com?σVK?

is a commitment to a group element

σ?VK? such that e(σ?VK? , X† ·gVK?) = e(g, g). Since σ? is a Type II forgery, B can use β1, β2 to compute

a BBS decryption of com?σVK?

and obtain a pair of the form (σVK? ,VK?) = (g1/(x+VK?),VK?). The

latter eventually yields a solution (g1/(x+VK?),VK?) to the initial qs-SDH instance by performingan Euclidean division in the exponent as in [12]. ut

B.3 Anonymity

As for the anonymity property, it naturally relies on the DLIN assumption. The proof is essentiallyidentical to that of Lemma 5 in [35] but we give it for completeness.

Theorem 4 (Anonymity). The advantage of any anonymity adversary is at most

Advanon(A) ≤ Advots(λ) + 3 ·AdvDLIN(λ),

where the first term is A’s probability of breaking the strong unforgeability of the one-time signature.

Proof. We consider a sequence of games at the end of which even an unbounded adversary has noadvantage. In Game i, we call Si the event that A wins and define Advi = |Pr[Si]− 1/2|.Game 1: is the experiment of definition 8. In the play stage, the adversary A can obtain the

group public key Y, the group manager’s private key SGM = (sk(0)AHO, sk

(1)AHO). It can also ask for the

opening of any group signature and read/write the content of stateI . When it decides to enter thechallenge phase, it outputs a message M?, a period index t? and two membership certificate/secret(cert?0, sec

?0) and (cert?1, sec

?1) such that cert?b Y sec?b for b = 0, 1. The simulator B flips a fair coin

d R← 0, 1 and computes σ? ← Sign(Y, t?, RLt? , cert?d, sec?d,M?), where t? is determined by thehistory of Qrevoke-queries. The signature σ? is given as a challenge to A who has to guess d ∈ 0, 1after another series of queries (under the natural restriction of not querying the opening of σ?). Wehave Adv1 = Advanon(A).

Game 2: is as Game 1 but B halts if A queries the opening of a signature σ containing thesame one-time verification key VK? as in the challenge phase (we assume w.l.o.g. that (SK?,VK?) isgenerated at the outset of the game). If such a query is made before the challenge phase, it meansthat A was able to forge a one-time signature even without having seen a signature. If the queryoccurs after the challenge phase, then the strong unforgeability of Σ is broken. We can thus write

25

|Pr[S2]− Pr[S1]| ≤ Advots(λ).

Game 3: we change the generation of Y so as to answer Qopen-queries without using the se-

cret exponents β1, β2 ∈ Zp that define SOA. To this end, B chooses αu, αvR← Z∗p, and defines

U = g−VK? · fαu1 , and V = g−VK

? · fαv2 . It is not hard to see (see [42] for details) that, for anyQopen-query containing a BBS encryption (Υ1, Υ2, Υ3) = (fz11 , fz22 , X · gz1+z2), the values (Υ4, Υ5)reveal gz1 and gz2 (and thus the encrypted X) since VK 6= VK? unless the event introducedin Game 2 occurs. To generate the challenge signature σ? at epoch t?, the challenger B firstcomputes (Υ ?1 , Υ

?2 , Υ

?3 ) and then (Υ ?4 , Υ

?5 ) = (Υ ?1

αu , Υ ?2αv). It sets the challenge signature to be

σ? = (VK?, Υ ?1 , Υ?2 , Υ

?3 , Υ

?4 , Υ

?5 , Ω

?, com?,Π?, σ?ots). It can be checked that the distributions of Yand σ? are unchanged and we have Pr[S3] = Pr[S2].

Game 4: in the setup phase, we generate the CRS f = (~f1, ~f2, ~f3) of the proof system for the

perfect WI setting. We choose ~f3 = ~f1ξ1 · ~f2

ξ2 · (1, 1, g)−1 instead of ~f3 = ~f1ξ1 · ~f2

ξ2so that ~f1, ~f2

and ~f3 are linearly independent. Any significant change in A’s behavior yields a distinguisher forthe DLIN problem and we can write |Pr[S4] − Pr[S3]| = 2 ·AdvDLIN(B). As noted in [36], proofsin the WI setting reveal no information on which witnesses they were generated from.

Game 5: in this game, we modify the generation of the challenge signature σ? and use the trapdoor

of the Groth-Sahai CRS (namely, the exponents ξ1, ξ2 for which ~ϕ = ~f1ξ1 · ~f2

ξ2) to generate simulated

proofs πeq-com,j3j=1 that (Υ ?1 , Υ?2 , Υ

?3 ) and comX encrypt of the same value. It is known [36] that

linear multi-exponentiation equations always have perfectly NIZK proofs on a simulated CRS.For, any satisfiable relation, (ξ1, ξ2) allows generating proofs without using the witnesses χ1, χ2, χ3

for which (10) holds and simulated proofs are perfectly indistinguishable from real ones. Hence,Pr[S5] = Pr[S4].

Game 6: in the computation of Υ ?3 , we now replace gz1+z2 by a random group element in thechallenge σ?. Since B does not explicitly use z1 = logf1(Υ ?1 ), z2 = logf2(Υ ?2 ), any change in A’s

behavior yields a distinguisher for the DLIN problem and |Pr[S6]−Pr[S5]| ≤ AdvDLIN(B). In Game6, we have Pr[S6] = 1/2. Indeed, when we consider the challenge σ?, Groth-Sahai commitments areall perfectly hiding in the WI setting and proofs Π reveal nothing about the underlying witnesses (inparticular, NIZK proofs πeq-com,j3j=1 are generated without using them) and (Υ ?1 , Υ

?2 , Υ

?3 ) perfectly

hides X?. Finally, randomized signature components Ω? = Θ′l,i?, θ′l,i

?i∈3,4,6,7 are information-theoretically independent of the corresponding messages and the remaining components of AHOsignatures Θ?l and θ?l .

When combining the above, A’s advantage can be bounded by Advanon(A) ≤ Advots(λ) + 3 ·AdvDLIN(λ) as stated by the theorem. ut

C Constructions from Weaker Assumptions

C.1 CDH-Based Vector Commitments

In [27], Catalano and Fiore described a vector commitment scheme whose binding property relieson the Diffie-Hellman assumption. In their scheme, if ` is the dimension of committed vectors, acommitment key (

g, g1, . . . , g`, h1, . . . , h`, hi,jì 6=j)∈ G1+`+`2

is obtained by randomly choosing α1, . . . , α`R← Z∗p and defining gi = gαi , hi = g

∏κ 6=i ακ and

hi,j = g∏`κ 6=i,j ακ = h

1/αij (so that hi,j = hi,j) for each i ∈ 1, . . . , ` and j 6= i. A commitment to

26

~m = (m1, . . . ,m`) is obtained as C =∏`κ=1 g

mκκ . By revealing Wi =

∏`κ=1, κ 6=i h

mκi,κ , the committer

can open the commitment to mi at the i-th coordinate of ~m as it satisfies the equation

e(g, C) · e(g−mi , hi) = e(gi,Wi).

This time, the coordinate-wise binding property relies on the standard Computational Diffie-Hellman (CDH) assumption. Note that, in its basic version, the commitment is not (and doesnot need to be) hiding since it does not use any randomizer.

C.2 Construction

This section gives an alternative construction of revocable group signature where the `-FlexDHEassumption is not used. Instead, we rely on an assumption (suggested in [44]) of fixed size, whichis inspired by the Flexible Diffie-Hellman assumption [43].

Definition 9 ([44]). In a group G of prime order p, the Flexible Square Diffie-Hellman (FSDH)problem consists in, given (g, ga) with a R← Zp, finding a non-trivial triple (gµ, ga·µ, g(a2)·µ), withµ 6= 0.

The Flexible Square Diffie-Hellman assumption is the hardness of FSDH for any PPT algorithm.We thus trade one of the q-type assumptions for a constant-size assumption at the cost of

increasing the size of the group public key. Indeed, the latter now containsO(log2N) group elements.

Setup(λ,N): given a security parameter λ ∈ N and the maximal number of users N = 2`−1,

1. Choose bilinear groups (G,GT ) of prime order p > 2λ, with a generator g R← G.

2. Define n0 = 2 and n1 = 7. Generate two key pairs (sk(0)AHO, pk

(0)AHO) and (sk

(1)AHO, pk

(1)AHO) for

the AHO signature in order to sign messages of n0 and n1 group elements, respectively.These key pairs are

pk(d)AHO =

(G(d)r , H(d)

r , G(d)z = Gγ

(d)zr , H(d)

z = Hδ(d)zr ,

G(d)i = G

γ(d)ir , H

(d)i = H

δ(d)ir ndi=1, A

(d), B(d))

and sk(d)AHO =

(α

(d)a , α

(d)b , γ

(d)z , δ

(d)z , γ(d)

i , δ(d)i

ndi=1

), where d ∈ 0, 1. These two schemes will

be used to sign messages consisting of 2 and 7 group elements, respectively.3. Generate a public key ck =

(g1, . . . , g`, h1, . . . , h`, hi,jì 6=j

)∈ G`+`2 for vectors of dimension

` in the CDH-based vector commitment scheme recalled in Section C.2.4. As a CRS for the NIWI proof system, select vectors f = (~f1, ~f2, ~f3) s.t. ~f1 = (f1, 1, g) ∈ G3,

~f2 = (1, f2, g) ∈ G3, and ~f3 = ~f1ξ1 · ~f2

ξ2, with f1 = gβ1 , f2 = gβ2 R← G and β1, β2, ξ1, ξ2

R← Z∗p.We also define the vector ~ϕ = ~f3 · (1, 1, g).

5. Choose (U, V ) R← G2 that, together with generators f1, f2, g ∈ G, will form a public encryp-tion key.

6. Select a strongly unforgeable one-time signature Σ = (G,S,V).

7. Set SGM :=(sk

(0)AHO, sk

(1)AHO

), SOA :=

(β1, β2

)as authorities’ private keys and the group

public key is

Y :=(g, pk

(0)AHO, pk

(1)AHO, ck =

(g1, . . . , g`, h1, . . . , h`, hi,jì 6=j

), f , ~ϕ, (U, V ), Σ

).

27

Join(GM,Ui): the group manager and the prospective user Ui run the following interactive protocol[Juser(λ,Y), JGM(λ, St,Y,SGM)]:

1. Juser(λ,Y) picks x R← Zp and computes X = gx which is sent to JGM(λ, St,Y,SGM). If X ∈ Galready appears in the database Sttrans, JGM halts and returns ⊥ to Juser.

2. JGM assigns to Ui an available leaf v of identifier ID(v) in the tree T. Let x1, . . . , x` be thepath from x` = v to the root x1 = ε of T. Let also (I1, . . . , I`) = (ID(x1), . . . , ID(x`)) be thevector of identifiers (with I1 = 1 and I` = ID(v) ∈ N, . . . , 2N − 1). Then, JGM conductsthe following steps.

a. Compute a compact encoding of (I1, . . . , I`) as Cv =∏`κ=1 g

Iκκ ∈ G.

b. Using sk(0)AHO, generate an AHO signature σv = (θv,1, . . . , θv,7) on (X,Cv) ∈ G2 in order

to bind Cv to the value X that identifies the new member Ui.3. JGM sends ID(v) ∈ N, . . . , 2N − 1 and Cv to Juser that halts if ID(v) 6∈ N, . . . , 2N − 1 or

if Cv 6=∏`κ=1 g

Iκκ ∈ G. Otherwise, Juser sends a signature sigi = Signusk[i]

(X||(I1, . . . , I`)

)to

JGM.4. JGM checks that Verifyupk[i]

((X||(I1, . . . , I`)), sigi

)= 1. If not JGM aborts. Otherwise, JGM

returns σv to Juser and stores transcripti = (X, ID(v), Cv, σv, sigi) in the database Sttrans.5. Juser defines the membership certificate as certi =

(ID(v), X,Cv, σv

)∈ N, . . . , 2N−1×G9,

where X will serve as the tag identifying Ui. The membership secret seci is defined asseci = x ∈ Zp.

Revoke(Y,SGM, t,Rt): Parse SGM as SGM :=(sk

(0)AHO, sk

(1)AHO

)and do the following.

1. Find a partition of the unrevoked user set 1, . . . , N\Rt as the union of disjoint subsets ofthe form Sk1,u1 , . . . , Skm,um , with m ≤ 2 · |Rt| − 1.

2. For i = 1 to m, do the following.

a. Parse Ski,ui as the difference between sub-trees rooted at an internal node xki and oneof its descendants xui . Let φi, ψi ∈ 1, . . . , ` be the depths of xki and xui , respectively,in T assuming that the root ε is at depth 1. Encode Ski,ui as a vector of group elements(

gφi , hφi , g−ID(xki ), gψi , hψi , g

ID(xui ))∈ G6.

b. To authenticate Ski,ui and link it to the revocation epoch t, use sk(1)AHO to compute a

structure-preserving signature Θi = (Θi,1, . . . , Θi,7) ∈ G7 on the message

Ri =(gt, gφi , hφi , g

−ID(xki ), gψi , hψi , gID(xui )

)∈ G7,

where the epoch number t is interpreted as an element of Zp.Return

RLt =(t, Rt, φi, ψi, ID(xki), ID(xui), Θi = (Θi,1, . . . , Θi,7)mi=1

). (24)

Sign(Y, t, RLt, certi, seci,M): return ⊥ if i ∈ Rt. Otherwise, to sign M , generate a one-time keypair (SK,VK) ← G(λ). Parse certi as certi =

(ID(vi), X,Cvi , σvi

)∈ N, . . . , 2N − 1 × G9 and

seci as x ∈ Zp. Let ε = x1, . . . , x` = vi be the path connecting the leaf vi to the root ε and let(I1, . . . , I`) = (ID(x1), . . . , ID(x`)). First, Ui generates a commitment comCvi

to the encodingCvi of the path (I1, . . . , I`) from vi to the root. Then, conduct the following steps.

28

1. Using RLt, find the set Skl,ul , with l ∈ 1, . . . ,m, that contains the leaf vi identified byvi. Let xkl and xul denote the primary and secondary roots of Skl,ul at depths φl and ψl,respectively. Since xkl is an ancestor of vi but xul is not, it holds that Iφl = ID(xkl) andIψl 6= ID(xul).

2. To prove that vi belongs to Skl,ul , Ui first re-randomizes the l-th AHO signature Θl of RLt

as Θ′l,i7i=1 ← ReRand(pk(1)AHO, Θl). Then, he commits to the l-th revocation message

Rl = (Rl,1, Rl,2, Rl,3, Rl,4, Rl,5, Rl,6, Rl,7) =(gt, gφl , hφl , g

−ID(xkl ), gψl , hψl , gID(xul )

)(25)

and its signatureΘ′l = (Θ′l,1, . . . , Θ′l,7) by computing Groth-Sahai commitments comRl,τ 7τ=2,

comΘ′l,jj∈1,2,5 to Rl,τ7τ=2 and Θ′l,jj∈1,2,5.

a. To prove that Iφl = ID(xkl), Ui first computes Wφl =∏`κ=1, κ 6=φl h

Iκφl,κ

that satis-

fies the equality e(g, Cvi) · e(g−Iφl , hφl) = e(gφl ,Wφl). Then, Ui generates a Groth-

Sahai commitment comWφlto Wφl . He computes a proof that committed variables

(Rl,2, Rl,3, Rl,4, Cvi ,Wφl) satisfy the equation

e(g, Cvi) · e(Rl,4, Rl,3) = e(Rl,2,Wφl). (26)

Let πeq be the proof for the quadratic equation (26).

b. To prove that Iψl 6= ID(xul), Ui computes Wψl =∏`κ=1, κ 6=ψl h

Iκψl,κ

that satisfies the

equality e(g, Cvi) ·e(g−Iψl , hψl) = e(gψl ,Wψl). Then, he computes a commitment comWψl

to Wψl as well as commitments comΓl and comΨl,τ τ=0,1 to the group elements

(Γl, Ψl,0, Ψl,1) =(g1/(ID(xul )−Iψl ), g−Iψl , g

−Iψlψl

).

Then, Ui provides evidence that committed variables (Rl,5, Rl,6, Rl,7, Cvi , Γl, Ψl) satisfy

e(g, Cvi) · e(Ψl,0, Rl,6) = e(Rl,5,Wφl), (27)

e(Rl,7 · Ψl,0, Γl) = e(g, g) (28)

e(Ψl,0, Rl,5) = e(g, Ψl,1). (29)

We denote this proof by πneq = (πneq,1, πneq,2, πneq,3). It consists of 27 group elementssince all equations are quadratic.

3. Ui proves that the tuple Rl of (25) is part of RLt: namely, Ui computes a proof πRl thatcommitted message elements Rl,τ7τ=2 and signature components Θ′l,jj∈1,2,5 satisfy theequations

A(1) · e(Θ′l,3, Θ′l,4)−1 · e(G(1)1 , gt)−1 = e(G(1)

z , Θ′l,1) · e(G(1)r , Θ′l,2) ·

7∏τ=2

e(G(1)τ , Rl,τ ), (30)

B(1) · e(Θ′l,6, Θ′l,7)−1 · e(H(1)1 , gt)−1 = e(H(1)

z , Θ′l,1) · e(H(1)r , Θ′l,5) ·

7∏τ=2

e(H(1)τ , Rl,τ ),

The proof πRl takes 6 elements as both equations of (30) are linear.

29

4. Let σvi = (θvi,1, . . . , θvi,7) be the AHO signature on the message (X,Cvi). Set θ′vi,j7j=1 ←

ReRand(pk(0)AHO, σvi) and generate commitments comθ′vi,j

j∈1,2,5 to θ′vi,jj∈1,2,5 as well

as a commitment comX to X. Then, generate a proof πσvi that committed variables satisfy

A(0) · e(θ′l,3, θ′l,4)−1 = e(G(0)z , θ′l,1) · e(G(0)

r , θ′l,2) · e(G(0)1 , X) · e(G(0)

2 , Cvi),

B(0) · e(θ′l,6, θ′l,7)−1 = e(H(0)z , θ′l,1) · e(H(0)

r , θ′l,5) · e(H(0)1 , X) · e(H(0)

2 , Cvi)

Since these equations are linear, πσvi requires 6 group elements.

5. Using VK as a tag, compute a tag-based encryption [42] of X by picking z1, z2R← Zp and

setting(Υ1, Υ2, Υ3, Υ4, Υ5) =

(fz11 , fz22 , X · gz1+z2 , (gVK · U)z1 , (gVK · V )z2

).

6. Generate a NIZK proof that comX = (1, 1, X) · ~f1wX,1 · ~f2

wX,2 · ~f3wX,3

and (Υ1, Υ2, Υ3) areBBS encryptions of the same value X. If we write ~f3 = (f3,1, f3,2, f3,3), the Groth-Sahaicommitment comX can be written as (f

wX,11 · fwX,33,1 , f

wX,22 · fwX,33,2 , X · gwX,1+wX,2 · fwX,33,3 ), so

that we have

comX · (Υ1, Υ2, Υ3)−1 =(fχ1

1 · fχ33,1, f

χ22 · f

χ33,2, g

χ1+χ2 · fχ33,3

)(31)

with χ1 = wX,1 − z1, χ2 = wX,2 − z2, χ3 = wX,3. The signer Ui commits to χ1, χ2, χ3 ∈ Zp(by computing comχj , for j ∈ 1, 2, 3), and generates proofs πeq-com,j3j=1 that χ1, χ2, χ3

satisfy the relations (31).7. Compute a weak Boneh-Boyen signature σVK = g1/(x+VK) on VK and a commitment comσVK

to σVK. Then, generate a NIWI proof πσVK = (~πσVK,1, ~πσVK,2, ~πσVK,3) ∈ G9 that committedvariables (σVK, X) ∈ G2 satisfy the quadratic equation e(σVK, X · gVK) = e(g, g).

8. Compute σots = S(SK, (M,RLt, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π)) whereΩ = Θ′l,i, θ′l,ii∈3,4,6,7and

com =(comCvi

, comX , comRl,τ 7τ=2, comWφl

, comWψl, comΓl ,

comΨl,τ τ∈0,1, comΘ′l,jj∈1,2,5, comθ′l,j

j∈1,2,5, comχj3j=1, comσVK

)Π =

(πeq, πneq, πRl , πσvi , πeq-com,j

3j=1, πσVK

)Return the signature σ =

(VK, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π, σots

).

Verify(σ,M, t, RLt,Y): parse σ as above and do the following.

1. If V(VK, (M,RLt, Υ1, Υ2, Υ3, Υ4, Υ5, Ω, com,Π), σots) = 0, return 0.2. Return 0 if e(Υ1, g

VK · U) 6= e(f1, Υ4) or e(Υ2, gVK · V ) 6= e(f2, Υ5).

3. Return 1 if all proofs properly verify. Otherwise, return 0.

Open(M, t,RLt, σ,SOA,Y, St): parse σ as above and return ⊥ if Verify(σ,M, t, RLt,Y) = 0. Oth-

erwise, given SOA = (β1, β2), compute X = Υ3 · Υ−1/β11 · Υ−1/β2

2 . In the database Sttrans, find arecord 〈i, transcripti = (Xi, ID(vi), Cvi , σvi , sigi)〉 such that Xi = X. If no such record exists inSttrans, return ⊥. Otherwise, return i.

Each signature now consists of 150 group elements since com and Π contain 69 and 63 groupelements, respectively. The only overhead is in the size of the group public key which grows fromO(logN) to O(log2N).

30

C.3 Security

Theorem 5 (Misidentification). The scheme is secure against misidentification attacks assum-ing that the q-SFP and the FSDH problems are both hard for q = max(qa, q

2r ), where qa and qr

denote the maximal numbers of Qa-join queries and Qrevoke queries, respectively, and N is the max-imal number of group members.

Proof. The proof is almost identical to the proof of Theorem 2. It considers the same two kindsof forgeries and the only difference is the treatment of Type II.b forgeries. Lemma 3 shows how tobreak the 2-3-SqDH assumption using a Type II.b forger. ut

Lemma 3. The advantage of any Type II.b forger A is at most Advmis-id-II.bA (λ) ≤ `·AdvFSDH(λ),

where ` = logN and N is the maximal number of users.

Proof. To prove the result, it is convenient to use an equivalent formulation3 of the problem. Namely,given (g, ga), we have to find a triple (ga·µ, gµ, gµ/a) for some µ 6= 0. We describe an algorithm Bthat receives as input an instance (g, ga) ∈ G2 of the FSDH problem and uses the Type II.b forgerto find a non-trivial (ga·µ, gµ, gµ/a). To generate the group public key, B follows the specification ofthe Setup procedure except that, instead of computing ck as in step 3 of the algorithm, it definesck = (g1, . . . , g`, h1, . . . , h`, hi,ji 6=j) as follows. It picks i? R← 1, . . . , ` and defines

gi? = ga

gi = gzi i 6= i?

hi? = g∏κ 6=i? zκ

hi = (ga)∏κ 6=i,i? zκ i 6= i?

hij = (ga)∏κ 6=i,j,i? zκ i 6= i?, j 6= i?

hi?j = g∏κ 6=j,i? zκ j 6= i?

hii? = g∏κ 6=i,i? zκ i 6= i?

where z1, . . . , z`R← Zp. Eventually, Y :=

(g, pk

(0)AHO, pk

(1)AHO, ck, f , ~ϕ, (U, V ), Σ

)is given to the Type

II.b forger A.During the whole game, the adversary can adaptively probe the Qpub, Qa-join, Qrevoke, Qread, and

QkeyOA oracles. Since SGM = (sk(0)AHO, sk

(1)AHO) and SOA = (β1, β2) are available to the reduction B,

the latter can always perfectly answer adversarial queries. At the end of the game, the adversaryA outputs a forgery σ? for which the committed variables C?vi , (R?l,2, . . . , R

?l,7), (Ψ?l,0, Ψ

?l,1) and

(Γ ?l ,W?φl,W ?

ψl) satisfy the relations

e(g, C?vi) · e(R?l,4, R

?l,3) = e(R?l,2,W

?φl

) (32)

e(g, C?vi) · e(Ψ?l,0, R

?l,6) = e(R?l,5,W

?ψl

), (33)

e(R?l,7 · Ψ?l,0, Γ ?l ) = e(g, g), (34)

e(Ψ?l,0, R?l,5) = e(g, Ψ?l,1). (35)

3 Given (g, ga), if we define y = ga and yA = g (so that A = 1/a) any FSDH solution (yµ, yA·µ, y(A2)µ) can bewritten as (ga·µ, gµ, gµ/a)

31

although σ? opens to some user i? ∈ Ua ∩Rt? .Note that (R?l,1, . . . , R

?l,7) is necessarily of the form

(R?l,1, R?l,2, R

?l,3, R

?l,4, R

?l,5, R

?l,6, R

?l,7) =

(gt?, gφl , hφl , g

−ID(x?kl), gψl , hψl , g

ID(x?kl)), (36)

for some indices φl, ψl ∈ 1, . . . , ` and some node identifiers ID(x?kl), ID(x?ul) ∈ 1, . . . , 2N − 1that were chosen by B at the latest Qrevoke-query. Since, by hypothesis, σ? contains a committedpair (X?, C?vi) that was signed by B during some Qa-join-query, B also knows (I?1 , . . . , I

?` ) such that

C?vi =∏`κ=1 g

I?κκ . Since i? ∈ Ua ∩Rt? , it must hold that either:

- I?φl 6= ID(x?kl): In this case, relations (36) and (32) imply that

e(g, C?vi) · e(g−ID(x?kl

), hφ`) = e(gφl ,W

?φl

) (37)

for values φl ∈ 1, . . . , ` and ID(xkl)? ∈ 1, . . . , 2N − 1 that are available to B. At this point,

B fails if φl 6= i?. With probability 1/` however, it holds that φl = i? in which case B can solve

the problem as follows. Since it knows (I?1 , . . . , I?` ) such that C?vi =

∏`κ=1 g

I?κκ , it can compute

W ′ =∏`κ=1, κ 6=φl h

I?κφl,κ

which satisfies

e(g, C?vi) · e(g−I?φl , hφ`) = e(gφl ,W

′φl

) (38)

By dividing (37) and (38), we find that e(gi? , (W?φl/W ′φl)

1/(I?φl−ID(x?kl

))) = e(g, hi?). This implies

that, by computing g1/a =(W ?φl/W ′

)1/(I?φl−ID(x?kl))·

∏κ 6=i? zκ , B actually solves a problem which

is at least as hard as FSDH.

- I?ψl = ID(x?ul): If we define % = − logg(Ψ?l,0), relations (36) and (33)-(35) imply that

e(g, C?vi) · e(g−%, hψ`) = e(gψl ,W

′ψl

) (39)

g%−I?ψl 6= 1G (40)

Ψ?l,0 = g−% (41)

Ψ?l,1 = g−%ψl , (42)

for some ψl ∈ 1, . . . , `. At this point, B halts and declares failure if ψl 6= i?. Still, withprobability 1/`, we have ψl = i? and B can solve the 2-3-SqDH as follows. Similarly to the

previous case, it can compute W ′ =∏`κ=1, κ 6=ψl h

I?κψl,κ

such that

e(g, C?vi) · e(g−I?ψl , hψ`) = e(gψl ,W

?ψl

) (43)

Now, by dividing (39) from (43), we obtain the equality e(g, hψl)%−I?ψl = e(gψl ,W

′/W ?ψl

) which,

if ψ = i?, implies W ′/W ?φl

= g(%−I?ψl )·

∏κ 6=i? zκ/a. The triple(

(Ψ?l,1−1 · (ga)−I

?ψl )

∏κ 6=i? zκ , (Ψ?l,0

−1 · g−I?ψl )

∏κ 6=i? zκ , W ′/W ?

φl

)=(ga(%−I?ψl

)·∏κ 6=i? zκ , g

(%−I?ψl

)·∏κ 6=i? zκ , g

(%−I?ψl)·∏κ 6=i? zκ

a

)is a non-trivial solution to the FSDH instance.

32

In both cases, we observe that, if A is able to mount a Type II.b attack with probability ε, then Bis able to break the Flexible Square Diffie-Hellman assumption with probability ε/`. ut

The proofs of anonymity and security against framing attacks are identical to those of the firstscheme and omitted here.

C.4 Further Reducing the Number of Assumptions

We note that, using the technique of Malkin, Teranishi, Vahlis and Yung [48], it is possible toreplace the SDH assumption by the standard Diffie-Hellman assumption in the proof of securityagainst framing attack. To this end, we must introduce a Waters-like [60] number theoretic hashfunction (described by O(λ) group elements) in the group public key in order to have a message-dependent Groth-Sahai CRS. Namely, all proofs of the signature are generated w.r.t. a Groth-SahaiCRS (~f1, ~f2, ~fVK), where ~fVK is obtained by “hashing” the verification key of a one-time signature.In order to secure the scheme against framing attacks, each group signature should prove knowledgeof a value (such as g1/x, where x = logg(X)) that only the signer knows. Finally, all non-interactiveproofs should be signed along with the actual message using the private key SK of the one-timesignature4.

The details are omitted here but it is not hard to see that a successful framing attack wouldimply a PPT algorithm to compute g1/x given X = gx, which is equivalent to solving the Diffie-Hellman problem. Eventually, we only need the q-SFP assumption, the FSDH assumption and theDLIN assumption to prove the security of the scheme. In the resulting group signature, the grouppublic key is larger and comprises O(λ+ log2N) group elements.

4 The reason why ~fVK is not directly derived from M is that we need to prevent Groth-Sahai proofs from beingpublicly randomized in order to achieve anonymity in the CCA2 sense: as noted in [35], signatures should not bere-randomizable in order to attain anonymity in the strongest sense.

33

Group Signatures with Almost-for-free RevocationThe setting of dynamically changing groups was analyzed later on by Bellare-Shi-Zhang [10] and, independently, by Kiayias and Yung [40].

Documents